FirstBlood-#793 — Invalidate previously registered users by using duplicate invitations
This issue was discovered on FirstBlood v2
On 2021-10-28, axe Level 4 reported:
Steps
-
Use test invitation code to register test users.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435354/pxec9a5g30m9vlvcbg6g.png)
-
Register test user again using test invitation code. Found that registration failed.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435376/ann2a4rp78tg4ct9xqls.png)
-
Try another idea. To make it easier to distinguish, I'll register and test with other usernames.
-
Register Sam users with test invitation code
-
Register successfully
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435380/qvahm7ajbjkdz6ubc8ey.png)
-
Try logging in
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435386/nygaio5l12jvh31bpbke.png)
-
Login successful
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435390/ttk700uqmg89edanzjvd.png)
-
After testing Sam
user can log in repeatedly !!! Until I registered Axe
user with test invitation code -> found that Sam
user strangely can't login anymore.
-
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435394/avknfvitkolzmklclndp.png)
-
Try to log in to Sam
user -> Show: There was an error logging in.
-
Try to log in to Axe
user -> The login was found to be successful.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635435400/lvrqg41rxa9a8a2zmlbw.png)
-
Tried again to log in to the Sam
user and found that the login failed!!! The user is no longer available.
Impact
-
Description test invitation code can be registered repeatedly, but not expire!
-
Explain that after the latest use of the invitation code, the previous registered account will be invalid
P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: NA
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.