Charlie Osborne June 22, 2022 at 14:08 UTC
Updated: Jun 22, 2022 15:41 UTC
Fake certificates could be used to bypass authentication checks
A vulnerability in Parse Server software led to the discovery of an authentication bypass impacting Apple Game Center.
Parse Server is an open source project available on GitHub that provides push notification functionality for iOS, macOS, Android, and tvOS.
The software is a backend system compatible with any infrastructure capable of running Node.js, the Express web application framework, and can be used independently or with existing web applications.
Learn about the latest Apple security news
According to a security advisory released on June 17, a bug in Parse Server versions earlier than 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center.
Apple calls Game Center its “social gaming network.” The platform includes leaderboards and real-time multiplayer gameplay.
Tracked as CVE-2022-31083 and issued a CVSS severity score of 8.6, the security issue is described as a scenario where the authentication adapter for Apple Game Center’s security certificate is not Not valid.
“As a result, authentication could potentially be circumvented by making a fake certificate accessible through certain Apple domains and providing the URL for that certificate in an authData object,” the advisory reads.
Attack complexity is considered low and no privileges are required.
A fix has been released in Parse Server 4.10.11/5.2.2. A new rootCertificateUrl property has been implemented in the software’s Apple Game Center authentication adapter, which “takes the URL to the root certificate of Apple’s Game Center authentication certificate”.
If the developers didn’t set a value in the authentication system, the new property defaults to the URL of the root certificate used by Apple.
There is no workaround available. Additionally, the advisory notes that it is also the Apple ecosystem developer’s responsibility to keep the root certificate up-to-date when using the Parse Server Apple Game Center Authentication Adapter.
Game Center will get a revised dashboard with Friends Activities in iOS 16, which is slated for release later this year.
“Incorrect validation could allow attackers to bypass authentication, leaving the server vulnerable to simple remote attacks,” Jake Moore, global cybersecurity adviser at ESET, told The Daily Swig.
“It’s not often that Apple misses the mark on a security feature, but without the authentication requirement, this is a potentially dangerous and even easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.
The daily sip has contacted Apple and we will update if we receive a response.
RECOMMENDED GhostTouch: Hackers Can Access Your Phone’s Touchscreen Without Even Touching It