Parse is a cloud platform that makes it easy for you to create applications without worrying about server infrastructure, databases or even hosting. The company, which was recently acquired by Facebook, has over 100,000 apps built on the platform, including iOS, Android and Web applications. The platform provides SDKs for a variety of platforms, but the one I’ll be covering is the JavaScript platform.
The JavaScript SDK is a great tool to add database storage and other features to your website, but there are a few things you need to be aware of. Namely, it’s quite easy for someone to modify your database or even access sensitive information. For example, I can run some JavaScript code through Google Chrome on a website using Parse to access names and email addresses.
Using the JavaScript console, the below script can access and print out names and email addresses from a Parse database quite easily:
If I run the above code on a Parse website using the JavaScript SDK, I get something similar to:
If I wanted to, I can also see how popular a website is by counting the total number of registered users (or any other data):
Even worse, if permissions (or ACL as it’s known in Parse) are not set correctly, a hacker is able to create or delete data as they wish. In the below example, I create a new table (or Class as it’s known in Parse) in Parse called “Fake”, and insert some data into it. To test that it worked, I then use a query to get the contents of the Class:
I won’t show how to delete something for obvious reasons, but I’m sure anyone determined enough can work out how to delete an entire database of users by just looking over the Parse documentation. The above examples were executed on a production website I found via the Parse Application gallery, showing just how easy someone can access or delete data.
There are some obvious measures you can take to protect your data, however. I recommend the following actions:
- Where possible, avoid the use of the JavaScript SDK altogether. Someone can easily look through your code to find your API keys, and then determine what Class names you use to access or modify data.
- If you do use the JavaScript SDK, you should turn off the “” setting, found under [Settings] > [General Settings] > [App Permissions]. This will prevent hackers from creating new classes using the JavaScript SDK.
- When creating objects, set the correct ACL permissions. Only allow an authenticated user to edit information, and only allow anonymous / public users to access non-sensitive information.
- When accessing the default User class (which stores emails, usernames and password), avoid using the JavaScript SDK. Instead, use a server-side library (like PHP) to authenticate the user and then give the user access to the other data.