Impact
Versions prior to 3.6.0 could allow an account enumeration attack via account linking.
ParseError.ACCOUNT_ALREADY_LINKED(208) was thrown BEFORE the AuthController checks the password and throws a ParseError.SESSION_MISSING(206) for Insufficient auth. An attacker can guess ids and get information about linked accounts/email addresses.
Patches
The exploit is closed with the release of 3.6.0 of parse-server
Workarounds
no
References
Description of Enumeration Attack
The fix: 73b0f9a
For more information
If you have any questions or comments about this advisory:
Impact
Versions prior to 3.6.0 could allow an account enumeration attack via account linking.
ParseError.ACCOUNT_ALREADY_LINKED(208)was thrown BEFORE the AuthController checks the password and throws aParseError.SESSION_MISSING(206)for Insufficient auth. An attacker can guess ids and get information about linked accounts/email addresses.Patches
The exploit is closed with the release of 3.6.0 of parse-server
Workarounds
no
References
Description of Enumeration Attack
The fix: 73b0f9a
For more information
If you have any questions or comments about this advisory: