Headline
Severe Parse Server bug impacts Apple Game Center
Fake certificates could be used to bypass authentication controls
Fake certificates could be used to bypass authentication controls
A vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center.
Parse Server is an open source project available on GitHub that provides push notification functionality for iOS, macOS, Android, and tvOS.
The software is a backend system compatible with any infrastructure able to run Node.js, the Express web application framework, and can be operated independently or with existing web applications.
Read more of the latest Apple security news
According to a security advisory published on June 17, a bug in Parse Server versions before 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center.
Apple calls the Game Center its ‘social gaming network’. The platform includes leaderboards and real-time multiplayer play.
Bypassing authentication
Tracked as CVE-2022-31083 and issued a CVSS severity score of 8.6, the security issue is described as a scenario in which the authentication adapter for Apple Game Center’s security certificate is not validated.
“As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object,” the advisory reads.
Attack complexity is considered low and no privileges are required.
A fix has been issued in Parse Server 4.10.11/5.2.2. A new rootCertificateUrl property has been implemented in the software’s Apple Game Center auth adapter, which “takes the URL to the root certificate of Apple’s Game Center authentication certificate”.
If developers have not set a value in the authentication system, the new property defaults to the URL of the root certificate in use by Apple.
There is no workaround available. Furthermore, the advisory notes that it is also an Apple ecosystem developer’s responsibility to keep the root certificate up to date while using the Parse Server Apple Game Center auth adapter.
Game Center will receive a revised dashboard look complete with friends’ activities in iOS 16, set for release later this year.
“Improper validation could allow attackers to bypass authentication, making the server vulnerable to simple remote attacks,” Jake Moore, global cybersecurity advisor at ESET, told The Daily Swig.
“It’s not often that Apple misses the mark on a security feature but without the requirement of authentication, this is a potentially dangerous and even an easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.”
The Daily Swig has reached out to Apple and we will update if we hear back.
RECOMMENDED GhostTouch: Hackers can reach your phone’s touchscreen without even touching it
Related news
### Impact The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. ### Patches To prevent this, a new `rootCertificateUrl` property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the [current root certificate](https://developer.apple.com/news/?id=stttq465) as of May 27, 2022. Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. ### Workarounds None. ### References - https://github.com/parse-community/parse-ser...
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. Keep in mind that the root certificate can change at any time and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. There are no k...