NordVPN is a reputed service in the field of VPNs, but having a hard time with security issues lately. As a result of HackerOneโs bug bounty program in February, a researcher disclosed a bug in the NordVPN site that retrieves user information when an HTTP POST request sent to its website API.
A simple trick to get data
A security researcher named dakitu, who discovered and formally disclosed this bug to NordVPN, has received a bounty of $1,000. He named this as Insecure Direct Object Reference (IDOR) vulnerability and gave a severity score of 7-8.9. What he did was quite simple, as even a normie could breach it if existed now. dakitu sent a request as an HTTP POST to NordVPNโs domain, which triggered the flaw and retrieved user information.
The data returned by the bug isnโt that sensitive, but exploitable. The information contained User ID, email address, payment URL and method, the total amount paid and the type of product purchased. This may harm users if properly exploited. Further, a change in ID and User ID could let anyone access the information records of other users too!
Regarding the disclosure, NordVPN said, โWe are very happy about the bug bounty program. Because of it, we are able to fix issues before they can actually be exploited.โ
The platform has already faced a breach in one of its data centers last year, caused due to a third partyโs fault of the remote management system. And now, the leakage of email addresses with payment information is yet another hit. Itโs unsure of NordVPN informing its customers about this vulnerability, as itโs said to be declining this question when asked by The Register. Maybe, it didnโt felt that important as it hadnโt found any exploitations yet.
Aside from this HTTP POST bug, a contemporary bug was discovered in the password resetting feature too. This disclosure exposed thereโs no rate-limit set for the number of times a password can be reset on the forgotten password page. This, along with the HTTP POST bug was resolved now.
Via: HackerOne, The Register
