Friday, January 22, 11:25
Home security NordVPN: Report error exposing sensitive customer data!

NordVPN: Report error exposing sensitive customer data!

NordVPN reported an error in its payment platform that allowed the leak of sensitive and confidential customer data to the company. This mistake could only be exploited by one request. As reported by The Register, the vulnerability was made public in February on HackerOne, a bug bounty a platform on which researchers can reveal privately security issues sellers in return for financial rewards. The vulnerability, identified by a researcher named "dakitu", is on a scale of 7 - 8,9, which means it is rated as "critical". The vulnerability in Insecure Direct Object Reference (IDOR) could simply be triggered by sending an HTTP POST request to northvpn.com domain.

Without any form authentication, a request sent to API of website will reveal a range of user information and data. A demo account was used for pingback information, including addresses e-mail, merchant payment records, addresses URL, the products purchased and the amounts paid. By changing the user ID, the error could potentially be used to display other profile information and data sets.NordVPN: Report error exposing sensitive customer data!

A NordVPN spokesman told ZDNet that the company has confirmed with the help of its technology team that the vulnerability was only revealed to H1 after ensuring that no data had been compromised. The vulnerability was isolated to three small payment providers and could only be exploited within a limited time. Third-party requests for automatic identifiers have always been limited. At the time of the issue of this particular vulnerability, the company's detection system showed no suspicious activity. The company is also pleased with the bug bounty program, as it can fix any vulnerabilities before it can be exploited to malicious activity.

That vulnerability was corrected in December and dakitu was awarded a $ 1.000 bug bounty. At the same time there was a bug bounty on the NordVPN platform. Th3pr0xyb0y researcher revealed a topic that restricts the value to the forgotten page Password of NordVPN, as there was no limit to password requests. The second security issue was awarded a $ 500 fine.

Last year, the VPN service revealed one data breach in one of its data centers, triggered by a remote management system owned by a third-party data center provider. NordVPN didn't know about it until one hacker managed to gain access, but given the seriousness of the matter - as the services VPN rely on user trust and data protection to be successful - the company has moved its business elsewhere.

 

LEAVE ANSWER

Please enter your comment!
Please enter your name here

LIVE NEWS

A minor sued Twitter for not removing child pornography material

According to court documents, Twitter received a lawsuit as it allegedly refused to remove child pornography content from its site ....

Microsoft Edge will notify you if your password is compromised

A new built-in password generator and a possibility to monitor the credentials that have leaked to Windows and macOS systems, is released by ...

Teespring: Hacker leaked data of millions of its users!

A hacker leaked data on millions of registered Teespring users on January 17 - an online portal that allows users to create and ...

QNAP: New Dovecat crypto-miner infects NAS devices

QNAP has warned its customers about a new malware (crypto-miner) called Dovecat, which targets NAS (network-attached storage) devices ...

MyFreeCams: Two million files were stolen from the adult site

A database of the popular adult site MyFreeCams, has been leaked to a hacking forum, resulting in the data of its users to ...

FBI: Parler is called in to investigate the Capitol attack

Participants in the January 6 attack on the US Capitol are accused of their actions, as they seem to have published in Parler and ...

Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...
00:02:35

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...