FirstBlood-#50 — Account takeover via re-register with the same username
This issue was discovered on FirstBlood v1
On 2021-05-09, parisk Level 4 reported:
hi
i found an account takeover via re-register with the same username on your flatform
- step to reproduce
-
create an account with the invite code: F16CA47250E445888824A9E63AE445CE. after that save your username and password. then login to account to check that it worked
-
re-register with the same username in the step 1 and the invite code. then save username and password again. you can see that the account in the step 1 didn't work anymore and the account in this step working
*impact
if by someways, attacker can obtain victim username, then he can take over victim account forever
-
the invite code is in the internet so it do not hard to leak
-
remediation
-do not allow re-register if the username existed on the system
P2 High
Endpoint: register.php
Parameter: none
Payload: none
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
Creator & Administrator
Nice find, I actually did add some code to prevent this but it seems it didn't work correctly , so i've added it as an unintended and i'm awarding you a bounty :)