Parse Server MFA Recovery Code Reuse Vulnerability

A vulnerability in Parse Server allowing for the reuse of multi-factor authentication (MFA) recovery codes has been identified. This issue affects Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54. The vulnerability arises because an attacker who obtains a user's password and a single MFA recovery code can misuse that code an unlimited number of times by sending concurrent login requests. This exploitation undermines the intended single-use functionality of recovery codes. The attack requires the user's password, a valid recovery code, and the capability to send multiple requests simultaneously within a short timeframe.

Impact

Exploitation of this vulnerability allows for the unauthorized reuse of MFA recovery codes, bypassing their single-use requirement and potentially leading to unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, first obtain a user's password and a valid MFA recovery code. Then, send concurrent login requests using the recovery code. The login requests can be sent through a script or a tool that allows for simultaneous HTTP requests, such as a load testing tool or a custom script using a programming language that can handle concurrent network requests. Ensure that the requests are sent within milliseconds of each other to successfully exploit the vulnerability.

Remediation

Users can upgrade to Parse Server versions 8.6.60 or 9.6.0-alpha.54, where this vulnerability has been patched.