FirstBlood-#32Multiple Register on same Username



On 2021-05-09, mava reported:

Hi zseano,
I found a Business Logic Vulnerability inside FirstBloodhackers.

Summary

A User with an Invite Code can register multiple account under the same name useing the same invite code.

PoC

  1. Aquire a Invite Code e.g.: F16CA47250E445888824A9E63AE445CE
  2. Register a new account, lets call him Admin:
  3. Lets use the same Invite code and Username to register a new account:
  4. You can only login into the user with the later password.

Impact

This Business Logic Vulnerability allows anybody with a Invite Code to "takeover/lock out" any doctor of his account, by just registering it with the same username.

Fix

Only 1 account must be allowed per username

Kind regards,
Max

P2 High

Endpoint: /register.php

Parameter: Username

Payload: Admin


FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers

Report Feedback

@zseano

Creator & Administrator


Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)


Respect Earnt: 2500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.