Fake certificates could be used to bypass authentication controls
A vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center.
The software is a backend system compatible with any infrastructure able to run Node.js, the Express web application framework, and can be operated independently or with existing web applications.
According to a security advisory published on June 17, a bug in Parse Server versions before 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center.
Apple calls the Game Center its ‘social gaming network’. The platform includes leaderboards and real-time multiplayer play.
Tracked as CVE-2022-31083 and issued a CVSS severity score of 8.6, the security issue is described as a scenario in which the authentication adapter for Apple Game Center’s security certificate is not validated.
“As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object,” the advisory reads.
Attack complexity is considered low and no privileges are required.
A fix has been issued in Parse Server 4.10.11/5.2.2. A new rootCertificateUrl property has been implemented in the software’s Apple Game Center auth adapter, which “takes the URL to the root certificate of Apple’s Game Center authentication certificate”.
If developers have not set a value in the authentication system, the new property defaults to the URL of the root certificate in use by Apple.
There is no workaround available. Furthermore, the advisory notes that it is also an Apple ecosystem developer’s responsibility to keep the root certificate up to date while using the Parse Server Apple Game Center auth adapter.
Game Center will receive a revised dashboard look complete with friends’ activities in iOS 16, set for release later this year.
“Improper validation could allow attackers to bypass authentication, making the server vulnerable to simple remote attacks,” Jake Moore, global cybersecurity advisor at ESET, told The Daily Swig.
“It’s not often that Apple misses the mark on a security feature but without the requirement of authentication, this is a potentially dangerous and even an easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.”
The Daily Swig has reached out to Apple and we will update if we hear back.