An authentication bypass affecting Apple Game Center has been found due to a Parse Server software flaw. Push notification support for iOS, macOS, Android, and tvOS is provided by the open-source Parse Server project, which is accessible on GitHub.
The program may be used separately or in conjunction with pre-existing web applications and is a backend system compatible with any infrastructure capable of running Node.js. According to a security alert released on June 17, a fault in Parse Server versions prior to 4.10.11/5.0.0/5.2.2 created a validation problem in Apple Game Center. Apple also addresses the Game Center as its “social gaming network.” Real-time multiplayer gaming and leaderboards are features of the platform.
The security flaw is identified as CVE-2022-31083 and has been given a CVSS severity rating of 8.6. It is defined as a situation in which the authentication adaptor for Apple Game Center’s security certificate is not verified.
“As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object,” reads the advisory.
The attack complexity is regarded as minimal because there are no privilege requirements. Parse Server 4.10.11/5.2.2 has been updated with a fix. The software’s Apple Game Center auth adapter now includes a new rootCertificateUrl field that “takes the URL to the root certificate of Apple’s Game Center authentication certificate.”
The new property defaults to the URL of the root certificate being used by Apple if developers haven’t provided a value in the authentication system. There is no accessible workaround. The advice also states that an Apple ecosystem programmer must keep the root certificate updated while employing the Parse Server Apple Game Center auth adapter. In iOS 16, which will be released later this year, Game Center will have a refreshed dashboard design that includes friends’ activities.
“Improper validation could allow attackers to bypass authentication, making the server vulnerable to simple remote attacks,” ESET’s global cybersecurity advisor, Jake Moore, said. “It’s not often that Apple misses the mark on a security feature but without the requirement of authentication, this is a potentially dangerous and even an easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.”
