I found out that any user can register to the application due to the leaked invitation code in a Reddit forum, seems like a doctor had posted his invitation code in a Reddit forum linked here which enables any user to create his own doctor account.
Steps to reproduce
/register.php endpoint asks for a username and a unique Invite code, as we already have the invite code we can choose our own doctor name and get a password for it:
then you can hit the
/login.php endpoint and log in with your chosen username and the given password.
You can see that you are registered and logged in to the application successfully.
Account takeover of valid existing doctors
I think there is also another application logic problem here besides the info leak mentioned above, according to
/register.php in the invite code field, it's called "Unique invite code" meaning that the invite code given to a doctor should only work for his username but not with any other username, this check is skipped in the application and any user can choose his own username with the leaked invite code to register to the application.
This security misconfiguration enables an attacker to use a known valid doctor username (besides
drAdmin) and to reset his password, therefore the doctor will be logged out of his account and we can log in with the new password generated by the server, and the old password won't work. This leads to an Account takeover of existing doctors.
- Anyone can register as a new doctor and access the doctor's portal
- Doctor's account takeover