Sunday, June 7, 03:30
Home security NordVPN: Report error exposing sensitive customer data!

NordVPN: Report error exposing sensitive customer data!

NordVPN reported an error in its payment platform that allowed the leak of sensitive and confidential customer data to the company. This mistake could only be exploited by one request. As reported by The Register, the vulnerability was made public in February on HackerOne, a bug bounty a platform on which researchers can reveal privately security issues sellers in return for financial rewards. The vulnerability, identified by a researcher named "dakitu", is rated at 7 - 8,9, which means it is rated as "critical". The vulnerability in Insecure Direct Object Reference (IDOR) could simply be triggered by sending an HTTP POST request to domain.

Without any form authentication, a request sent to API of website will reveal a range of user information and data. A demo account was used for pingback information, including addresses e-mail, merchant payment records, addresses URL, the products purchased and the amounts paid. By changing the user ID, the error could potentially be used to display other profile information and data sets.NordVPN: Report error exposing sensitive customer data!

A NordVPN spokesman told ZDNet that the company has confirmed with the help of its technology team that the vulnerability was only revealed to H1 after ensuring that no data had been compromised. The vulnerability was isolated to three small payment providers and could only be exploited within a limited time. Third-party requests for automatic identifiers have always been limited. At the time of the issue of this particular vulnerability, the company's detection system showed no suspicious activity. The company is also pleased with the bug bounty program, as it can fix any vulnerabilities before it can be exploited to malicious activity.

That vulnerability was corrected in December and dakitu was awarded a $ 1.000 bug bounty. At the same time there was a bug bounty on the NordVPN platform. Th3pr0xyb0y researcher revealed a topic that restricts the value to the forgotten page Password of NordVPN, as there was no limit to password requests. The second security issue was awarded a $ 500 fine.

Last year, the VPN service revealed one data breach in one of its data centers, triggered by a remote management system owned by a third-party data center provider. NordVPN didn't know about it until one hacker managed to gain access, but given the seriousness of the matter - as the services VPN rely on user trust and data protection to be successful - the company has moved its business elsewhere.


Please enter your comment!
Please enter your name here


Lyrics from AI technology or from people: Can you tell them apart?

While a large percentage of people can recognize when they are talking on a chatbot instead of a human operator, it seems that this is not the case ...

Technology and children: When are they ready for safe use?

Today's children and teens use various messaging apps and social media to ...

Call of Duty Black Ops Cold War: The first video leaked

The first video from the gameplay of Call of Duty 2020, which is rumored to be called Black Ops Cold War, has just been revealed.

Elon Musk: "It's time to break up Amazon"

Elon Musk intensifies the fight with Jeff Bezos with a new tweet: The General Manager of Tesla Inc., Elon Musk, said ...

Attack on America's 5G towers on Saturday!

Protests over 5G connectivity are scheduled to take place over the weekend, according to NATE. According to a recommendation that was identified ...

Windows 10 Updates: You can block them with Wu10Man!

Microsoft launched the Windows 10 update in May 2020, so it will be available on your computer soon ....

ECh0raix Ransomware: New campaign targets QNAP NAS devices!

Malicious agents behind eCh0raix Ransomware have launched a new campaign targeting QNAP NAS devices. ECh0raix was observed ...

Mac: How to change the storage location of your screenshots?

When you take screenshots on your Mac device using the Shift-Command-3 shortcut to take a screenshot of the entire computer screen or Shift-Command-4 ...

Malware USBCulprit: Aims devices that are not connected to a network

Did you think that devices without any connection to a local or other network (air-gapped devices) are safe? Think again! The USBCulprit malware that ...

Free Microsoft Teams: You can finally create meetings!

Users of the free version of Microsoft Teams can now create video meetings. The change, identified by ...