Flaw in popular VPN service might have exposed customer data

Amer Owaida, Security Writer at ESET discusses the security flaw found in the payment platform used by one of the most popular VPN service provider, NordVPN and that might have exposed the customer data.

NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customers’ email addresses and other information.

The security hole was linked to three payment platforms used by NordVPN – Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the issue, the flaw was uncovered by a researcher going by the moniker ‘dakitu’ and was disclosed via popular bug bounty platform HackerOne.

The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see users’ email addresses, payment method and URL, the product they purchased, the amount they paid for it and even the currency used in the transaction.

There is actually some unclarity as to the severity of the bug, as NordVPN said in a statement today that only a handful of random email addresses – and no other customer data – might have been at risk.

Nevertheless, the vulnerability was uncovered on December 4th, 2019, before being fixed by NordVPN two days later. The flaw and its patch were made public on the website in February and ‘dakitu’ received a bounty reward of US$1,000 for his efforts.

NordVPN didn’t say whether it had notified its customers about the vulnerability or not. At any rate, The company was satisfied with the outcome, stating that it is one of the reasons that they launched their bug bounty program and that they hope to reap more benefits in the future: “We are extremely happy with its results and encourage even more researchers to analyze our product.”

In October of last year, NordVPN was criticized for taking too long to fess up to a security breach that may have lasted from March of 2018. The company argued that the long disclosure period was needed because of the size of its infrastructure audit and the number of servers the company runs to host its service.