BugBountyHunter

Hello team, The inviteCode parameter lacks proper validation, and allows us to register a user with other user's invite code which contradicts to what the application mentions about how the doc accounts are already created. This also allows us to use the same code to register multiple accounts.

Description

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.

Impact

Using this the attacker can register as many accounts as he wants.

Proof of Concept

Steps to Reproduce

1. A public post on reddit leaks an invite code for our application. link here - https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

2. This code allows us to register a user, but the issue here is that the same code can be reused to register as many users as we want. As we can see in the following screenshots we are registering two users with the same invite code.

Remediation

Apply proper validation so that an Invite Code cannot be re-used.