Insufficiently Protected Credentials

Affecting parse package, versions <2.10.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

PoC by Diamond Lewis and Colin Ulin

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Remediation

Upgrade parse to version 2.10.0 or higher.

References

CVSS Score

4.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/RL:O
Credit
Diamond Lewis, Colin Ulin
CWE
CWE-255
Snyk ID
SNYK-JS-PARSE-590110
Disclosed
24 Jul, 2020
Published
24 Jul, 2020