A serious vulnerability existed in NordVPN payment systems. Exploiting the flaw required sending an HTTP POST request that exposed NordVPN users’ details to anyone.
NordVPN Flaw Exposed Users’ Details
Reportedly, NordVPN has patched a serious flaw that could have exposed users’ details to others. First discovered by a bug bounty hunter, the vulnerability existed in their payments system.
The researcher with alias foo bar on HackerOne reported this vulnerability to NordVPN in December 2019. He found that sending a HTTP POST request without any authentication to join.nordvpn.com could let anyone view other users’ data. Doing so was simple; the attacker could simply change the numbers in the id and user_id to get the details of other users.
The said vulnerability received a high-severity rating with a score of 7 to 8.9. Upon reporting the flaw, not only NordVPN patched the vulnerability, but also awarded the researcher with a $1000 bounty.
Though, it remains unclear whether NordVPN has notified its users about the flaw, they did assure fixing of the bug. As per the statement of Jody Myers, spokesperson NordVPN, to TheRegister,
Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party.
Multiple Bugs Patched Since Bug Bounty Program
Since then, the HackerOne profile of NordVPN shows back-to-back vulnerabilities being reported and addressed. Around the same time as that of the above-referenced IDOR, NordVPN also fixed the absence of rate-limiting on their password reset feature.
Towards the end of February 2020, they also patched a critical severity bug that violated users’ privacy. Specifically, the flaw existed owing to potential reuse of the API key that could send connection information to third-party service. For highlighting this bug, NordVPN awarded a $7,777 bounty to the researcher.
Let us know your thoughts in the comments.