NordVPN HTTP POST bug exposed customer information, no authentication required

The exploit could be triggered with a simple request.
Written by Charlie Osborne, Contributing Writer

NordVPN has plugged a hole in the company's payment platform which leaked sensitive customer data.

As reported by The Register, the vulnerability was made public on HackerOne in February, a bug bounty platform in which researchers can privately disclose security issues to vendors in return for credit and financial rewards. 

Disclosed by a researcher under the name "dakitu" and issued a "high" severity score of 7 - 8.9, the Insecure Direct Object Reference (IDOR) vulnerability could be triggered by sending an HTTP POST request to the nordvpn.com domain. 

See also: How to find the best VPN service: Your guide to staying safe on the Internet

Without any form of authentication, a request sent to the website's API would return a string of user information. A test account was used to pingback information including email addresses, payment merchant records, URLs, products purchased, and amounts paid. 

By changing the user ID, the bug could potentially be used to view other profile information and datasets. 

A NordVPN spokeswoman told ZDNet:

"We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited. The vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe. Third-party requests to automatically generate IDs have always been rate-limited. Over the period when the vulnerability existed, our detection system did not indicate any suspicious behavior.

We are very happy about the bug bounty program. Because of it, we are able to fix issues before they can actually be exploited." 

CNET: Best free VPNs: 5 reasons why they don't exist

The vulnerability was patched in December and dakitu was awarded a $1,000 bug bounty. 

At the same time, a separate bug bounty was also resolved in the NordVPN platform. Researcher th3pr0xyb0y disclosed a rate-limiting issue on NordVPN's forgotten password page, in which there was no limit in place for password requests. 

A $500 bug bounty was awarded for the second security issue. 

TechRepublic: Coronavirus: What business pros need to know

Last year, the VPN service revealed a data breach at one of its data centers, caused by a remote management system belonging to a third-party data center provider. 

NordVPN did not know it existed until a cyberattacker obtained access, but given the severity of the issue -- as VPN services rely on user trust and data protection to be successful -- the company immediately terminated its data center rental contract and took its business elsewhere. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards