Parse Server LiveQuery Protected Field Oracle Vulnerability

A vulnerability exists in Parse Server versions prior to 8.6.54 and 9.6.0-alpha.43, allowing attackers to create a binary oracle by subscribing to LiveQuery with a watch parameter that targets protected fields. While the values of these fields are removed from event payloads, the update events can still indicate whether a protected field has changed. This timing can be exploited for boolean fields, effectively revealing the field's value.

Impact

Exploitation of this vulnerability allows for the creation of a binary oracle regarding the state of protected fields, with the potential for timing attacks on boolean fields to discern their values.

Reproduction

To reproduce this vulnerability, subscribe to a LiveQuery with a watch parameter that includes a protected field. The subscription will be accepted, and the absence of update events can be used to infer whether the protected field has changed, thus creating a binary oracle. This can be automated with a script that monitors the timing of events.

Remediation

Users can update to Parse Server versions 8.6.54 or 9.6.0-alpha.43, where this vulnerability has been patched. Instructions for updating can be found in the Parse Server documentation.