Parse Server Auth Data Exposure Vulnerability via Master Context Leak

A vulnerability exists in Parse Server versions 8.6.61 prior to 9.6.0-alpha.55, where an authenticated user can access unsanitized authentication data through the '/users/me' endpoint. This data includes sensitive information such as Multi-Factor Authentication (MFA) Time-Based One-Time Password (TOTP) secrets and recovery codes. The issue arises because the endpoint uses master-level authentication to query session data, which inadvertently leaks through to user data, bypassing necessary authentication sanitization. As a result, an attacker with a user's session token can indefinitely generate valid TOTP codes by extracting the MFA secrets.

Impact

Exploitation of this vulnerability allows for unauthorized access to MFA TOTP secrets and recovery codes, enabling an attacker to generate valid TOTP codes indefinitely.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/users/me' endpoint while including their session token in the request headers. The response will contain raw authentication data, including MFA TOTP secrets and recovery codes, which should not be exposed.

Remediation

Users can upgrade to Parse Server versions 8.6.61 or 9.6.0-alpha.55, where this vulnerability has been patched.