Parse Server OAuth2 Authentication Adapter Identity Spoofing Vulnerability Allowing Account Takeover

A vulnerability in the Parse Server OAuth2 authentication adapter can lead to unauthorized account access. This issue is present in Parse Server versions 9.0.0 prior to 9.5.2-alpha.9 and in versions prior to 8.6.22. The vulnerability arises when the adapter is configured with 'oauth2: true' but without the 'useridField' option. In this scenario, the adapter only checks if a token is active through the provider's token introspection endpoint, without verifying that the token belongs to the user identified by 'authData.id'. As a result, an attacker can use any valid OAuth2 token from the same provider to authenticate as another user.

Impact

Exploitation of this vulnerability allows for unauthorized authentication, enabling an attacker to impersonate any user by using a valid OAuth2 token from the same provider.

Remediation

To address this vulnerability, users should update to Parse Server versions 9.5.2-alpha.9 or 8.6.22. Additionally, for deployments using the generic OAuth2 authentication adapter, the 'useridField' option should be set to the appropriate field name for the OAuth2 provider, such as 'sub', to ensure proper token validation against the claimed user ID.