FirstBlood-#43 — Doctor Registration code misconfiguration
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, vermsec reported:
Hello team, The
inviteCode parameter lacks proper validation, and allows us to register a user with other user's invite code which contradicts to what the application mentions about how the doc accounts are already created. This also allows us to use the same code to register multiple accounts.
Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.
Using this the attacker can register as many accounts as he wants.
Proof of Concept
Steps to Reproduce
A public post on reddit leaks an invite code for our application. link here - https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/
This code allows us to register a user, but the issue here is that the same code can be reused to register as many users as we want. As we can see in the following screenshots we are registering two users with the same invite code.
Apply proper validation so that an Invite Code cannot be re-used.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Creator & Administrator
Nice find vermsec and great report. Even though you weren't the first to find this, i'm awarding you a bounty at my own discretion. Great work again mate!
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.