[BreachExchange] Top VPN software had a major security flaw

[Destry Winant]

https://www.techradar.com/news/this-top-vpn-suffered-a-major-security-flaw

UDPATE: NordVPN has told TechRadar Pro that the vulnerability was
isolated to three small payment providers and possible to exploit only
within a limited timeframe.

"We have confirmed with our tech team that the issue was disclosed on
H1 only after evaluating that no data had been exploited," a NordVPN
spokesperson told us.

One of the most popular VPN services available today may have exposed
customer payment information due to a significant security flaw.

Security researchers uncovered a vulnerability in the payment platform
used by NordVPN, which has millions of users around the world.

The flaw could have allowed hackers access to user account
information, including email addresses and shopping history, according
to the team at security firm HackerOne.

What's the truth about the NordVPN breach? Here's what we now know
Bug bounties have made these hackers millionaires
NordVPN boosts security with new bug bounty program

NordVPN security

According to The Register, which had the flaw flagged by a concerned
user, anyone making an HTTP POST request to join.nordvpn.com without
any authentication would be able to access users' email addresses,
payment method and URL, currency, amount paid and even which specific
products they had bought.

The patched flaw was made public in early February on HackerOne's bug
bounty platform, with the company saying it had contacted NordVPN
about the issue.

In a statement, NordVPN said that this was "an isolated case" that
potentially could only have affected a "handful of users".

The company did not confirm whether it had told customers about the
flaw, but told said it appreciated the work of the HackerOne
community.

"Such reports are one of the reasons why we have launched the bug
bounty program," company spokeswoman Jody Myers told The Register.

"We are extremely happy with its results and encourage even more
researchers to analyze our product. This is an isolated case that
potentially affected only a handful of users, due to the implemented
rate-limiting. Theoretically, only email addresses could have been
seen by a third party."

The company is the only major known VPN organisation to have enlisted
on the HackerOne programme which pays penetration testers for finding
bugs into their infrastructure, applications and apps.

NordVPN hit the headlines last October after the company was revealed
to have suffered a major data breach back in March 2018, although it
was able to limit the damage and the customers affected.