The problem with Parse

A low-code server that endangers over 64,000,000 users


Speaker

healdb is a 23 year old MS CS student and currently in his last semester at RIT. He has been participating in bug bounty programs for the past three years and has been making infosec content on his blog. Healdb loves bug bounties, and has been able to pay for his entire CS MS degree with the proceeds from his findings!

Abstract

Low-code server platforms provide a necessary service in that they allow all developers regardless of skill the ability to create content and mobile applications. Unfortunately, these low-code solutions also put user data security at risk, because they follow the path of most convenience instead of ensuring that the application will be secure. This talk will focus specifically on the low-code server called “Parse”. The Parse Platform is a popular web server similar to Firebase that allows mobile application developers to spin up a fully-fledged backend with API support within a very short amount of time and with very little programming experience. In just a few days of scanning the most popular Google Play applications, I was able to discover several vulnerable Parse instances that potentially endanger the data of a collective 64,000,000 users. In this talk, I will give an overview of the many security issues inherent in the Parse platform, as well as give recommendations to both developers and the maintainers of the Parse Platform for how to improve their security posture.

Video