Critical Vulnerability in Authentication Bypass Allowed by Apple Game Center

Researchers discovered a critical vulnerability affecting Apple’s Game Center that allowed authentication bypass. The bug usually existed in the analytics server, exposing it to remote attacks.

Apple Game Center vulnerability

According to a recent advisory on GitHub, a critical authentication bypass vulnerability existed in the Analytics Server, threatening the security of Apple Game Center.

Specifically, Parse Server is an open-source backend server that users can deploy on any infrastructure running Node.js.

Explaining the impact of this vulnerability, the advisory reads,

The certificate in the Apple Game Center authentication adapter is not validated. Therefore, authentication could potentially be circumvented by making a fake certificate accessible through certain Apple domains and providing the URL for that certificate in an authData object.

The bug was given the identification number CVE-2022-31083 and a severity rating of critical, with a CVSS score of 8.6. This affected versions of Parse Server prior to 4.10.11 and 5.2.2. The bug existed due to the Parse Server Apple Game Center Authentication Adapter not validating. Thus, any adversary could carry out an authentication bypass via false certificates. As mentioned in the NVD vulnerability description,

Prior to 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center authentication adapter was not validated. Therefore, authentication could potentially be circumvented by making a fake certificate accessible through certain Apple domains and providing the URL for that certificate in an authData object.

However, versions 4.10.11 and 5.2.2 fix this flaw by introducing a new rootCertificateUrl property to the Parse Server Apple Game Center authentication adapter. It “takes the Root Certificate URL from Apple’s Game Center Authentication Certificate”.

So, if the developers didn’t set a value for it, the new property defaults to the URL of the existing root certificate. The advisory urges developers to keep the Root Certificate URL up-to-date when using the Parse Server Apple Game Center Authentication Adapter.

As of now, although the patch has arrived, there is no workaround available for the vulnerability.

Let us know your thoughts in the comments.