FirstBlood-#32 — Multiple Register on same Username
This issue was discovered on FirstBlood v1
On 2021-05-09, mava Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi zseano,
I found a Business Logic Vulnerability inside FirstBloodhackers.
Summary
A User with an Invite Code can register multiple account under the same name useing the same invite code.
PoC
- Aquire a Invite Code e.g.:
F16CA47250E445888824A9E63AE445CE
- Register a new account, lets call him
Admin:
- Lets use the same Invite code and Username to register a new account:
- You can only login into the user with the later password.
Impact
This Business Logic Vulnerability allows anybody with a Invite Code to "takeover/lock out" any doctor of his account,
by just registering it with the same username.
Fix
Only 1 account must be allowed per username
Kind regards,
Max
P2 High
Endpoint: /register.php
Parameter: Username
Payload: Admin
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
Report Feedback
Creator & Administrator
Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)