What’s Behind Bypass Vulnerability of Apple Game Center?
Apple Game Center
You already know that Apple is a Brand that can’t be beaten so easily by any other competitors. However, nobody can say that things might change when. So, you can think that Apple can make mistakes too. A few days ago, the Apple Game Center got into the spotlight for behaving unusually.
The seriousness breakdown when it is the sensitive point of the market. Due to a certain vulnerability in its Parse Server, it got into a flex, where it had a bug freeing the access to the control panel/ User ID. The Bug is allowing attackers to Authenticate Bypass.
PARSE SERVER
It’s an Open-Source Backend Server. Users are used to deploy for any main purpose of theirs from any infrastructure running Node.js.
Impact of this Bug
Apple Game Center’s Auth Adapter isn’t validated, therefore bypassing is possible. It can be possible by making fake docs (certificate) that are accessible via certain Apple Domains. Also, they (attacker) need to provide the URL to that Certificate in AuthData Object.
That Bug has got the ID number CVE-2022-31083, and it has a severe critical rating, following a score of 8.6. This Bug had a lot of effect on the previous versions 4.10.11 and 5.2.2 of Parse Server. Moreover, the bug has been in the scene due to the non-validation of the Parse Server Apple Game Center Auth Adapter.
NVD description has explained that the attacker can achieve Authentication Bypass by Fake Docs (certificate). Addressing these flaws wasn’t easy for them but they did it with the help of the rootCertificateUrl property
“For rooting the certificate of Apple’s Game Center Authentication Certificate it takes the URL”. Default will be set to the URL of the existing root certificate.
The developers are advised to keep their URL certificates up to date if using Parse Server Apple Game Center Auth Adapter.
It seems that technology has been working against us sometimes. So, we need a proper way to do things while handling Digital Gadgets and online networks. Communication between us is way too direct so the attacker gets the loophole to make an entrance in the middle and secretly get the information they need to work against our safety. If you want to work as Cyber Security Expert for Web Application then you can join the Web Application Security Course offered parse by Craw Security. Enroll, Now.
Kindly read more articles :
CITRIX got a Problem with Unauthorized Users for Application Delivery Management
A New Android Malware (Malibot) Targeting Online Banking and Cryptocurrency.
