Parse the parcel
Popular web server API framework Parse Platform is inherently vulnerable to several security vulnerabilities, security researcher Ben Heald warns.
Parse is a framework, similar to Firebase, that allows developers to quickly and easily create a backend API and integrate it with their iOS and Android applications.
“Unfortunately, the default configuration of the Parse server leaves user data completely exposed,” Heald told The Daily Swig. “Other vulnerabilities also include default unrestricted file upload.”
Having scanned the 1,000 most popular Android apps, Heald estimates that those built using Parse Platform have around 63 million users.
Universally vulnerable?
“I have yet to find an instance of a mobile application being built with Parse and not being vulnerable,” Heald told The Daily Swig.
Heald went public with his findings in a technical blog post last week. Seven unnamed dating, social media, productivity, and mobile gaming apps were all vulnerable because of their reliance on the Parse Platform, according to Heald.
The security researcher has privately emailed the affected vendors to flag up his concerns and suggest possible remediation for various read access and file upload risks that he identified.
“The largest of these, a mobile gaming platform with 55 million users, has been in contact with me and is in the process of fixing their vulnerable application,” Heald told The Daily Swig. “Unfortunately, no other applications have replied to my warnings.”
RECOMMENDED GitHub’s Nico Waisman: ‘Security is not just an opportunity, but a responsibility for us’
The proper implementation of the class-level and object-level access permissions, as detailed in the Parse documentation, allows developers to mitigate against most of these vulnerabilities, according to Heald.
“Unfortunately, in order to implement a mitigation of the unrestricted file upload vulnerability, a more complex fix will need to be implemented,” he warned.
The Daily Swig sought comment from Parse Platform’s developers on these findings but we’re yet to receive a substantive response.
Heald said he’d unsuccessfully tried to flag up issues to the developers via GitHub for some time before going public with his latest findings.
Past imperfect
The security researcher was prompted to look deeper into Parse after first encountering it in a Fortune 500 internet company’s public bug bounty program, he explained.
Heald said he was able to exploit numerous security issues in a social media application that the company had created used Parse that he later discovered were “inherent to the design of the Parse Platform”.
“I was able to report several of the issues I outlined in my report, and after investigating I found these issues were deliberate design decisions on the part of the Parse developers,” he told The Daily Swig.
After finding several security issues, Heald reported them to the program and then later found that those issues were systemic issues with the Parse platform itself.
“During Covid-19 lockdown I finally had the time to research how widespread vulnerable Parse instances are, and so conducted this research,” Heald said.
“Over the years, many people have raised issues on Github about Parse security, but the developers have dismissed them each time.”
The security researcher cited the responses by developers on an issue to do with anonymous file uploads and a separate bug report through GitHub about access controls as evidence in support of his criticisms.
Parse was created back in 2011 as a paid service that eventually shut down after being acquired by Facebook in 2017. Since then, the Parse Platform has existed as an open source ‘parse server’ module for Node/Express.
RELATED Unpatched regex bug leaves Node.js apps open to ReDoS attacks
