GMS-2020-422: Storing Password in Local Storage

July 23, 2020 (updated September 22, 2021)

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user’s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, “We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext.”

Example Code:

async () => {
 const user = Parse.User.current()
 if (user) {
 user.setPassword('newpass')
 await user.save()
 }
}

After running the above code, the new password will be stored in localStorage as a property named “password”.

Proposed Solution: Before saving anything to localStorage, Parse should strip out any properties named “password” that are attempting to be stored with a Parse.User type object.

Configuration: Parse SDK: Parse Server:

References

Code Behaviors & Features

Detect and mitigate GMS-2020-422 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →