FirstBlood-#97Registring to the application as a doctor due to the leaked invitation code [COLLAB]
This issue was discovered on FirstBlood v1

On 2021-05-10, holybugx Level 5 reported:


Hello Sean,

I found out that any user can register to the application due to the leaked invitation code in a Reddit forum, seems like a doctor had posted his invitation code in a Reddit forum linked here which enables any user to create his own doctor account.

  • Then invite code:

Steps to reproduce

Opening the /register.php endpoint asks for a username and a unique Invite code, as we already have the invite code we can choose our own doctor name and get a password for it:

then you can hit the /login.php endpoint and log in with your chosen username and the given password.

You can see that you are registered and logged in to the application successfully.

Account takeover of valid existing doctors

I think there is also another application logic problem here besides the info leak mentioned above, according to /register.php in the invite code field, it's called "Unique invite code" meaning that the invite code given to a doctor should only work for his username but not with any other username, this check is skipped in the application and any user can choose his own username with the leaked invite code to register to the application.

This security misconfiguration enables an attacker to use a known valid doctor username (besides drAdmin) and to reset his password, therefore the doctor will be logged out of his account and we can log in with the new password generated by the server, and the old password won't work. This leads to an Account takeover of existing doctors.


  • Anyone can register as a new doctor and access the doctor's portal
  • Doctor's account takeover

Kind Regards,


P2 High

This report contains multiple vulnerabilities:

  • Authorisation Issue
  • Auth issues

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers