SoylentNews is people
SoylentNews
from the not-the-flaw-you're-looking-for dept.
Top VPN Software Had a Major Security Flaw
Top VPN software had a major security flaw:
One of the most popular VPN services available today may have exposed customer payment information due to a significant security flaw.
Security researchers uncovered a vulnerability in the payment platform used by NordVPN, which has millions of users around the world.
The flaw could have allowed hackers access to user account information, including email addresses and shopping history, according to the team at security firm HackerOne.
- What's the truth about the NordVPN breach? Here's what we now know
- Bug bounties have made these hackers millionaires
- NordVPN boosts security with new bug bounty program
UPDATE: NordVPN has told TechRadar Pro that the vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe.
"We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited," a NordVPN spokesperson told us.
Also at:
NordVPN HTTP POST bug exposed customer information, no authentication required:
(Score: 4, Informative) by NotSanguine on Wednesday March 11 2020, @06:19AM (2 children)
After reading TFA, I thought it useful to add a little more detail.
Apparently, while the vulnerable parties were payment processors used by NordVPN, unauthenticated access to that data was obtained through HTTP POST [wikipedia.org] requests through the nordvpn.com domain.
Based on what I read, it's unclear whose configuration (the NordVPN website, the affected payment processors, or both) allowed unauthenticated access to customer records.
This was a serious problem for NordVPN and its customers, but it still wasn't a breach of its VPN tunneling or security management systems.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday March 11 2020, @02:43PM (1 child)
It would be less of a problem if they stopped demanding so much user data just to process a credit transaction. People don't realise that when they use credit cards their personal data is sent along or demanded as "proof".
I had a wonderful example of this. I had a card without address data. Which meant that a vendor that tried to collect my address could not complete the transaction. I put in details on a shopping cart payment page. Card no, expiry, etc. It sent a request to my bank. It failed. After going back and forth I finally discovered that yes, my card details were correct, yes, the card was okay with sufficient funds and condition to allow the transaction but no it was failing. The requestor was demanding more information that my bank would give. They would not send " billing address" mostly because there was none
Gee. That's tough. Use another card.
Think about it. They claim to need this data for security. What security? Credit card fraud is covered by the banks and card systems. No, they are chosing to forgoe a sale if they can't collect the end user's personal data.
It's a shitty world we live in.
Meanwhile I still fail to go thorough checkout in some sites due to this. Which is a shame.I'd like to support sites by buying merchandise.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 11 2020, @04:37PM
Um no, credit card fraud is not covered by the banks and card systems. When a fraudulent charge is reversed the money is simply refunded directly from the merchant's account back to the cardholder's.
Generally the merchants accepting credit cards are SOL in case of fraud and have to eat the loss. The banks never lose.
Not saying they aren't also trying to collect your personal information but credit card fraud can be really bad for businesses that accept credit cards, and many of these verification tools really are about reducing overall risk to the business. Like any policy that involves vetting customers, this will have a cost in the form of losing some legitimate sales. They presumably lost out on selling to you, so hopefully for the business the actual reduction in credit card fraud was worth it.