Parse Server Authentication Bypass Vulnerability in Third-Party Provider Login

An authentication bypass vulnerability has been identified in Parse Server, allowing attackers to log in as any user linked to a third-party authentication provider, without needing the user's credentials. This vulnerability exists in Parse Server versions 9.0.0 prior to 9.6.0-alpha.41 and versions prior to 8.6.52. The issue arises when the server option 'allowExpiredAuthDataToken' is set to true, which is not the default setting. Exploitation requires knowledge of the user's provider ID, granting access to the user's account and a valid session token.

Impact

The vulnerability allows for unauthorized access to user accounts via third-party authentication providers, bypassing credential verification and potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, enable the 'allowExpiredAuthDataToken' option on a Parse Server deployment. Then, log in as a user who has linked a third-party authentication provider, using only the provider ID and without the access token. This can be done by sending a login request that includes the provider ID in the authData, while omitting the access token. The server will incorrectly validate the login, allowing access to the user's account.

Remediation

Parse Server versions 8.6.52 and 9.6.0-alpha.41 have patched this vulnerability. Users should update to these versions. Additionally, the 'allowExpiredAuthDataToken' option can be set to false or removed from the server configuration to prevent this vulnerability.