FirstBlood-#793 — Invalidate previously registered users by using duplicate invitations
This issue was discovered on FirstBlood v2
On 2021-10-28, axe Level 4 reported:
Steps
-
Use test invitation code to register test users.
-
Register test user again using test invitation code. Found that registration failed.
-
Try another idea. To make it easier to distinguish, I'll register and test with other usernames.
-
Register Sam users with test invitation code
-
Register successfully
-
Try logging in
-
Login successful
-
After testing Sam
user can log in repeatedly !!! Until I registered Axe
user with test invitation code -> found that Sam
user strangely can't login anymore.
-
-
Try to log in to Sam
user -> Show: There was an error logging in.
-
Try to log in to Axe
user -> The login was found to be successful.
-
Tried again to log in to the Sam
user and found that the login failed!!! The user is no longer available.
Impact
-
Description test invitation code can be registered repeatedly, but not expire!
-
Explain that after the latest use of the invitation code, the previous registered account will be invalid
P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: NA
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.