The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."
Example Code:
async () => {
const user = Parse.User.current()
if (user) {
user.setPassword('newpass')
await user.save()
}
}After running the above code, the new password will be stored in localStorage as a property named "password".
Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.
Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0
dplewis Analyst
pocketcolin Analyst
The
setPasswordmethod (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."Example Code:
After running the above code, the new password will be stored in localStorage as a property named "password".
Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.
Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0