Top VPN software had a major security flaw

(Image credit: Shutterstock.com)

UDPATE: NordVPN has told TechRadar Pro that the vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe. 

"We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited," a NordVPN spokesperson told us.

One of the most popular VPN services available today may have exposed customer payment information due to a significant security flaw.

Security researchers uncovered a vulnerability in the payment platform used by NordVPN, which has millions of users around the world.

The flaw could have allowed hackers access to user account information, including email addresses and shopping history, according to the team at security firm HackerOne.

NordVPN security

According to The Register, which had the flaw flagged by a concerned user, anyone making an HTTP POST request to join.nordvpn.com without any authentication would be able to access users' email addresses, payment method and URL, currency, amount paid and even which specific products they had bought.

The patched flaw was made public in early February on HackerOne's bug bounty platform, with the company saying it had contacted NordVPN about the issue.

In a statement, NordVPN said that this was "an isolated case" that potentially could only have affected a "handful of users".

The company did not confirm whether it had told customers about the flaw, but told said it appreciated the work of the HackerOne community.

"Such reports are one of the reasons why we have launched the bug bounty program," company spokeswoman Jody Myers told The Register. 

"We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party."

The company is the only major known VPN organisation to have enlisted on the HackerOne programme which pays penetration testers for finding bugs into their infrastructure, applications and apps.

NordVPN hit the headlines last October after the company was revealed to have suffered a major data breach back in March 2018, although it was able to limit the damage and the customers affected.

Via: The Register

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.