FirstBlood-#50 — Account takeover via re-register with the same username
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, parisk reported:
i found an account takeover via re-register with the same username on your flatform
create an account with the invite code: F16CA47250E445888824A9E63AE445CE. after that save your username and password. then login to account to check that it worked
re-register with the same username in the step 1 and the invite code. then save username and password again. you can see that the account in the step 1 didn't work anymore and the account in this step working
if by someways, attacker can obtain victim username, then he can take over victim account forever
This report has been publicly disclosed for everyone to view
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
Creator & Administrator
Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)
Respect Earnt: 2500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.