FirstBlood-#436 — A doctors invite code is easily guessable and grants anyone access to the doctor portal and patient PII data
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, xnl-h4ck3r reported:
It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.
/register.phpit says: Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account
- Firstly, an invite code of
testis easily guessable while they are testing their new version.
- Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of this code even if used before.
- Thirdly, an attacker is able to register using any user name, not just a Doctor account that has been pre-made (although likely usernames are on
Once registered, the attacker can then access the Management panel on
/drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.
The attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
Steps To Reproduce
- Go to
/register.php, enter a user name and Unique invite code of
- Log in as the new user, and observe the message below:
Authorisation controls can be bypassed allowed new users access to patient appointment PII data
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.