Parse Server Third-Party Authentication Credential Misuse Vulnerability

A vulnerability in Parse Server's third-party authentication handling allows authentication credentials from certain providers to be used across multiple Parse Server applications. This issue affects Parse Server versions prior to 7.5.2 and 8.0.0 through 8.0.2. The vulnerability arises when a user signs up with the same authentication provider in two unrelated Parse Server apps. In such cases, credentials from one app can be used to authenticate the user in the other app. This issue specifically impacts Parse Server applications that utilize an affected third-party authentication provider for user authentication, as configured in the Parse Server options.

Impact

Exploitation of this vulnerability allows for unauthorized authentication across different Parse Server applications, potentially leading to unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, sign up a user using a third-party authentication provider that is known to be affected, such as GitHub, in one Parse Server application. Then, attempt to use the same credentials to authenticate in a different, unrelated Parse Server application that also uses the same authentication provider. If the authentication is successful, the vulnerability is present.

Remediation

Upgrade Parse Server to version 7.5.2 or 8.0.2, and ensure that the client application is updated to send a secure payload instead of the previous insecure one. For a gradual rollout of the client app update, the affected Parse Server authentication adapters can be configured to accept both insecure and secure payloads.