NordVPN is a reputed service in the field of VPNs, but having a hard time with security issues lately. As a result of HackerOne’s bug bounty program in February, a researcher disclosed a bug in the NordVPN site that retrieves user information when an HTTP POST request sent to its website API.

A simple trick to get data

A security researcher named dakitu, who discovered and formally disclosed this bug to NordVPN, has received a bounty of $1,000. He named this as Insecure Direct Object Reference (IDOR) vulnerability and gave a severity score of 7-8.9. What he did was quite simple, as even a normie could breach it if existed now. dakitu sent a request as an HTTP POST to NordVPN’s domain, which triggered the flaw and retrieved user information.

NordVPN New Bug Exposed User Data with a Simple HTTP Post Request
NordVPN New Bug Exposed User Data with a Simple HTTP Post Request

The data returned by the bug isn’t that sensitive, but exploitable. The information contained User ID, email address, payment URL and method, the total amount paid and the type of product purchased. This may harm users if properly exploited. Further, a change in ID and User ID could let anyone access the information records of other users too!

Regarding the disclosure, NordVPN said, “We are very happy about the bug bounty program. Because of it, we are able to fix issues before they can actually be exploited.”

The platform has already faced a breach in one of its data centers last year, caused due to a third party’s fault of the remote management system. And now, the leakage of email addresses with payment information is yet another hit. It’s unsure of NordVPN informing its customers about this vulnerability, as it’s said to be declining this question when asked by The Register. Maybe, it didn’t felt that important as it hadn’t found any exploitations yet.

Aside from this HTTP POST bug, a contemporary bug was discovered in the password resetting feature too. This disclosure exposed there’s no rate-limit set for the number of times a password can be reset on the forgotten password page. This, along with the HTTP POST bug was resolved now.

Via: HackerOne, The Register


Please enter your comment!
Please enter your name here