Parse Server Authentication Token Bypass Vulnerability Allowing MFA Recovery Code Reuse

A vulnerability in Parse Server prior to versions 8.6.64 and 9.7.0-alpha.8 allows an attacker with a valid authentication provider token and a single MFA recovery code or SMS one-time password to bypass the single-use guarantee of these codes. By sending concurrent login requests through the authData login endpoint, the attacker can create multiple authenticated sessions. This issue persists even after the legitimate user revokes the sessions, as the vulnerability allows for session persistence.

Impact

Exploitation of this vulnerability allows for the unauthorized reuse of MFA recovery codes and SMS one-time passwords, leading to the creation of multiple authenticated sessions. This undermines the security of the MFA process, as it allows an attacker to maintain access even after a user has revoked their sessions.

Reproduction

To reproduce this vulnerability, first log in to a Parse Server instance using an authentication provider that supports MFA. After logging in, enable MFA and obtain a recovery code or SMS one-time password. With this information, send concurrent login requests through the authData login endpoint, using the same recovery code or one-time password. This will create multiple authenticated sessions, bypassing the intended single-use restriction of the MFA tokens.

Remediation

Users can upgrade to Parse Server versions 8.6.64 or 9.7.0-alpha.8, where this vulnerability has been patched. The fix implements optimistic locking in the authData login process, preventing concurrent requests from successfully using the same MFA token.