NordVPN reported an error in its payment platform that allowed the leak of sensitive and confidential customer data to the company. This mistake could only be exploited by one request. As reported by The Register, the vulnerability was made public in February on HackerOne, a bug bounty a platform on which researchers can reveal privately security issues sellers in return for financial rewards. The vulnerability, identified by a researcher named "dakitu", is rated at 7 - 8,9, which means it is rated as "critical". The vulnerability in Insecure Direct Object Reference (IDOR) could simply be triggered by sending an HTTP POST request to northvpn.com domain.
Without any form authentication, a request sent to API of website will reveal a range of user information and data. A demo account was used for pingback information, including addresses e-mail, merchant payment records, addresses URL, the products purchased and the amounts paid. By changing the user ID, the error could potentially be used to display other profile information and data sets.
A NordVPN spokesman told ZDNet that the company has confirmed with the help of its technology team that the vulnerability was only revealed to H1 after ensuring that no data had been compromised. The vulnerability was isolated to three small payment providers and could only be exploited within a limited time. Third-party requests for automatic identifiers have always been limited. At the time of the issue of this particular vulnerability, the company's detection system showed no suspicious activity. The company is also pleased with the bug bounty program, as it can fix any vulnerabilities before it can be exploited to malicious activity.
That vulnerability was corrected in December and dakitu was awarded a $ 1.000 bug bounty. At the same time there was a bug bounty on the NordVPN platform. Th3pr0xyb0y researcher revealed a topic that restricts the value to the forgotten page Password of NordVPN, as there was no limit to password requests. The second security issue was awarded a $ 500 fine.
Last year, the VPN service revealed one data breach in one of its data centers, triggered by a remote management system owned by a third-party data center provider. NordVPN didn't know about it until one hacker managed to gain access, but given the seriousness of the matter - as the services VPN rely on user trust and data protection to be successful - the company has moved its business elsewhere.