FirstBlood-#97Registring to the application as a doctor due to the leaked invitation code [COLLAB]



On 2021-05-10, holybugx reported:

Description

Hello Sean,

I found out that any user can register to the application due to the leaked invitation code in a Reddit forum, seems like a doctor had posted his invitation code in a Reddit forum linked here which enables any user to create his own doctor account.

  • Then invite code:
F16CA47250E445888824A9E63AE445CE

Steps to reproduce

Opening the /register.php endpoint asks for a username and a unique Invite code, as we already have the invite code we can choose our own doctor name and get a password for it:

then you can hit the /login.php endpoint and log in with your chosen username and the given password.

You can see that you are registered and logged in to the application successfully.

Account takeover of valid existing doctors

I think there is also another application logic problem here besides the info leak mentioned above, according to /register.php in the invite code field, it's called "Unique invite code" meaning that the invite code given to a doctor should only work for his username but not with any other username, this check is skipped in the application and any user can choose his own username with the leaked invite code to register to the application.

This security misconfiguration enables an attacker to use a known valid doctor username (besides drAdmin) and to reset his password, therefore the doctor will be logged out of his account and we can log in with the new password generated by the server, and the old password won't work. This leads to an Account takeover of existing doctors.

Impact

  • Anyone can register as a new doctor and access the doctor's portal
  • Doctor's account takeover

Kind Regards,

HolyBugx

P2 High

This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.