FirstBlood-#32 — Multiple Register on same Username
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, mava reported:
I found a Business Logic Vulnerability inside FirstBloodhackers.
A User with an Invite Code can register multiple account under the same name useing the same invite code.
- Aquire a Invite Code e.g.:
- Register a new account, lets call him
- Lets use the same Invite code and Username to register a new account:
- You can only login into the user with the later password.
This Business Logic Vulnerability allows anybody with a Invite Code to "takeover/lock out" any doctor of his account,
by just registering it with the same username.
Only 1 account must be allowed per username
This report has been publicly disclosed for everyone to view
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
Creator & Administrator
Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)
Respect Earnt: 2500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.