Skip to content

Storing Password in Local Storage

Moderate severity GitHub Reviewed Published Jul 23, 2020 in parse-community/Parse-SDK-JS • Updated Jan 9, 2023

Package

npm parse (npm)

Affected versions

< 2.10.0

Patched versions

2.10.0

Description

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

Example Code:

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.

Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0

References

@davimacedo davimacedo published to parse-community/Parse-SDK-JS Jul 23, 2020
Reviewed Jul 23, 2020
Published to the GitHub Advisory Database Jul 23, 2020
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-wvh7-5p38-2qfc

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.