If I wanted to, I can also see how popular a website is by counting the total number of registered users (or any other data):
Even worse, if permissions (or ACL as it’s known in Parse) are not set correctly, a hacker is able to create or delete data as they wish. In the below example, I create a new table (or Class as it’s known in Parse) in Parse called “Fake”, and insert some data into it. To test that it worked, I then use a query to get the contents of the Class:
I won’t show how to delete something for obvious reasons, but I’m sure anyone determined enough can work out how to delete an entire database of users by just looking over the Parse documentation. The above examples were executed on a production website I found via the Parse Application gallery, showing just how easy someone can access or delete data.
There are some obvious measures you can take to protect your data, however. I recommend the following actions:
- When creating objects, set the correct ACL permissions. Only allow an authenticated user to edit information, and only allow anonymous / public users to access non-sensitive information.