NordVPN Patches Flaw That Exposed Users’ Details
By Aneesh A S
NordVPN, one of the most popular VPN services, has fixed a security flaw that existed in its payment systems. The vulnerability is said to have exposed customers’ email addresses and other information.
The vulnerability was linked to the three payment platforms , Momo, Gocardless, and Coinpayments ; used by NordVPN. The flaw was disclosed by a researcher through the popular bug bounty platform HackerOne in December 2019.
The researcher found out that anyone who sends an HTTP POST request without authentication to join.nordvpn.com could see the payment method and URL , the user’s email addresses, the product they are purchasing , the amount and the currency used during the transaction. NordVPN said in a statement that only a handful of random email addresses might have been at risk and added that no other customer data were exposed.
The vulnerability has a high-severity rating with a score of 7 to 8.9. NordVPN has patched the vulnerability and awarded the researcher with $1000 bounty. It remains unclear whether NordVPN has notified users about the issue, they assured that they fixed the bug.
Multiple Bugs Patched Since The Bug Bounty Program
NordVPN launched its bug bounty program on HackerOne in October 2019. The announcement came up after the company faced backlash over a security breach that occured in October of last year.
The profile of NordVPN on HackerOne shows back-to-back vulnerabilities being reported and addressed. NordVPN fixed the absence of rate-limiting on their password reset feature. They also patched a critical severity bug that violated users’ privacy that existed owing to potential reuse of the API key that could send connection information to third-party service. This bug got a $7777 bounty for the researcher.