FirstBlood-#826 — Original account registered with invite code get deleted after registering another account with invite code
This issue was discovered on FirstBlood v2
On 2021-10-29, vishal Level 2 reported:
Discription : Original account registered with invite code get deleted after registering another account with invite code.
Steps to Reproduce the issue :
- Visit /register.php.
- Now enter any username you want to register as and invite code test as below
- you will get the login credential's for for the username you have given as below . Note the credentials.
- Again register with different username but same invite code . you will get the login credentials for this user like this.
- Now go to /login.php and provide the login credentials you got when you register for first time. you will get msg like below.
It means we can conclude that this user doesn't exist now. well i guess no because we get same error msg when we give wrong password for valid username.
So i have to find an another way to verify if this doctor exist or not . Then i got to know i have an endpoint which update password for doctor's so it response like this if user is valid this endpoint update it's password like below.
Note:-when user exist i got in response updated password. Now let's see what will happen when i do the same after using test to register second account.
Now I got response user not found ! .
Now I can say that after using same invite code to register doctor account first account get deleted or deactivated.
Impact: deletion of first account is possible in case of code leak . after use of invite code owner would think of it as no use and will not think of it as a sensitive information without knowing that it could lead to deletion of his account.
solution : invite code should get expired after one time use .
Let me know, if anything missing or further information is required.
Thanks and Regards - Vishal
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.