FirstBlood-#32Multiple Register on same Username
This issue was discovered on FirstBlood v1

On 2021-05-09, mava Level 2 reported:

Hi zseano,
I found a Business Logic Vulnerability inside FirstBloodhackers.


A User with an Invite Code can register multiple account under the same name useing the same invite code.


  1. Aquire a Invite Code e.g.: F16CA47250E445888824A9E63AE445CE
  2. Register a new account, lets call him Admin:
  3. Lets use the same Invite code and Username to register a new account:
  4. You can only login into the user with the later password.


This Business Logic Vulnerability allows anybody with a Invite Code to "takeover/lock out" any doctor of his account, by just registering it with the same username.


Only 1 account must be allowed per username

Kind regards,

P2 High

Endpoint: /register.php

Parameter: Username

Payload: Admin

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers

Report Feedback


Creator & Administrator

Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)