Insufficiently Protected Credentials Affecting parse package, versions <2.10.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-PARSE-590110
- published24 Jul 2020
- disclosed24 Jul 2020
- creditDiamond Lewis, Colin Ulin
Introduced: 24 Jul 2020
CVE NOT AVAILABLE CWE-255 (opens in a new tab)How to fix?
Upgrade parse to version 2.10.0 or higher.
Overview
parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."
PoC by Diamond Lewis and Colin Ulin
async () => {
const user = Parse.User.current()
if (user) {
user.setPassword('newpass')
await user.save()
}
}
After running the above code, the new password will be stored in localStorage as a property named "password".