FirstBlood-#826 — Original account registered with invite code get deleted after registering another account with invite code
This issue was discovered on FirstBlood v2
On 2021-10-29, vishal Level 2 reported:
Discription : Original account registered with invite code get deleted after registering another account with invite code.
Steps to Reproduce the issue :
- Visit /register.php.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635192083/y3bipsgjsxtirumsmsw0.jpg)
- Now enter any username you want to register as and invite code test as below
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635223608/rkubp5s49ioyvbl7c2qb.jpg)
- you will get the login credential's for for the username you have given as below . Note the credentials.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635223687/umrwfhvuorp6hlsnj6ph.jpg)
- Again register with different username but same invite code . you will get the login credentials for this user like this.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635487661/rn10j409chx14gyf8r6n.jpg)
- Now go to /login.php and provide the login credentials you got when you register for first time. you will get msg like below.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635487696/vjzvtcihznx4fszigozb.jpg)
It means we can conclude that this user doesn't exist now. well i guess no because we get same error msg when we give wrong password for valid username.
-
So i have to find an another way to verify if this doctor exist or not . Then i got to know i have an endpoint which update password for doctor's so it response like this if user is valid this endpoint update it's password like below.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635486929/iqve7bho8jxcy6rbbagm.jpg)
Note:-when user exist i got in response updated password. Now let's see what will happen when i do the same after using test to register second account.
-
Now I got response user not found ! .
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635487069/qpcjcwpa2pnw2wspuoev.jpg)
Now I can say that after using same invite code to register doctor account first account get deleted or deactivated.
Impact: deletion of first account is possible in case of code leak . after use of invite code owner would think of it as no use and will not think of it as a sensitive information without knowing that it could lead to deletion of his account.
solution : invite code should get expired after one time use .
Let me know, if anything missing or further information is required.
Thanks and Regards - Vishal
P3 Medium
Parameter:
Payload:
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.