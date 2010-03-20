from the not-the-flaw-you're-looking-for dept.
Top VPN Software Had a Major Security Flaw
Top VPN software had a major security flaw:
One of the most popular VPN services available today may have exposed customer payment information due to a significant security flaw.
Security researchers uncovered a vulnerability in the payment platform used by NordVPN, which has millions of users around the world.
The flaw could have allowed hackers access to user account information, including email addresses and shopping history, according to the team at security firm HackerOne.
UPDATE: NordVPN has told TechRadar Pro that the vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe.
"We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited," a NordVPN spokesperson told us.
NordVPN HTTP POST bug exposed customer information, no authentication required:
(Score: 0) by Anonymous Coward on Wednesday March 11, @05:40AM (2 children)
Trusting your ISP is insanity.
(Score: 1) by fustakrakich on Wednesday March 11, @06:04AM (1 child)
Seems like trusting anybody only leads to trouble.
Is there anyplace that hasn't leaked yet?
(Score: 0) by Anonymous Coward on Wednesday March 11, @06:07AM
Yup. My personal infrastructure.
No. You can't use it.
(Score: 3, Informative) by NotSanguine on Wednesday March 11, @06:07AM (1 child)
The issue (according to TFS) was with one or more payment processors and not with the VPN tunneling or management software, as the headline implies.
Granted, if data is/was exfiltrated from a payment processor that you used, the credit card you used and the fact that you pay for a VPN may be exposed.
That, however, is emphatically *not* "VPN Software Had a Major Security Flaw". Not even close.
How about "NordVPN Payment Processor(s) Hacked, Payment Details Exposed?"
Full disclosure: I have used (and implemented/managed) various VPN platforms as required by clients/employers, but I do not, and never have used, the services of NordVPN or its competitors.
.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Wednesday March 11, @06:19AM
After reading TFA, I thought it useful to add a little more detail.
Apparently, while the vulnerable parties were payment processors used by NordVPN, unauthenticated access to that data was obtained through HTTP POST [wikipedia.org] requests through the nordvpn.com domain.
Based on what I read, it's unclear whose configuration (the NordVPN website, the affected payment processors, or both) allowed unauthenticated access to customer records.
This was a serious problem for NordVPN and its customers, but it still wasn't a breach of its VPN tunneling or security management systems.
No, no, you're not thinking; you're just being logical. --Niels Bohr