Parse Server, Authentication Bypass, CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the CVE Works:

This vulnerability in Parse Server arises due to improper handling of 3rd party authentication credentials. When a user signs up using the same authentication provider across multiple Parse Server apps, the credentials stored by one app can be reused to authenticate the same user in another unrelated app. This occurs because the authentication payloads are not securely isolated between apps, allowing cross-app authentication. The issue specifically affects Parse Server apps that use certain 3rd party authentication providers, such as those configured via the `auth` option in Parse Server. Attackers can exploit this flaw to gain unauthorized access to user accounts across different applications, leading to potential data breaches and account takeovers.

DailyCVE Form:

Platform: Parse Server
Version: <4.10.0
Vulnerability: Authentication Bypass
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

  1. Exploit Scenario: An attacker can use credentials from one Parse Server app to authenticate into another app using the same 3rd party provider.

2. Exploit Code:

// Example of insecure payload being reused
const insecurePayload = { authData: { provider: "facebook", token: "stolen_token" } };
Parse.User.logInWith("facebook", insecurePayload).then(user => {
console.log("Authenticated as:", user.getUsername());
});

Protection:

  1. Upgrade Parse Server: Update to a version >=4.10.0 that includes the fix.

2. Secure Payload Migration:

// Secure payload example
const securePayload = { authData: { provider: "facebook", token: "secure_token", secure: true } };
Parse.User.logInWith("facebook", securePayload).then(user => {
console.log("Authenticated securely as:", user.getUsername());
});

3. Enable Secure Authentication:

// Configure Parse Server to enforce secure authentication
const parseServer = new ParseServer({
auth: { facebook: { enableInsecureAuth: false } }
});

Analytics:

  • Affected Providers: Facebook, Google, Twitter, etc.
  • Risk Level: High due to potential account compromise across multiple apps.
  • Mitigation Steps:
  • Audit all 3rd party authentication configurations.
  • Disable `enableInsecureAuth` after client app updates.

Commands:

1. Check Parse Server Version:

npm list parse-server

2. Upgrade Parse Server:

npm install parse-server@latest

References:

  • Parse Server 3rd Party Authentication Docs: [bash]
  • CVE Details: [bash]

References:

Reported By: https://github.com/advisories/GHSA-837q-jhwx-cmpv
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top