Russian internet security firm Kaspersky have been embarrassed by revelations that their in-house VPN has been leaking details of the websites users visit. But it seems they have failed to reward the security analyst who uncovered the vulnerability.
The VPN offered by Kaspersky to their users is known as Secure Connection and claims to operate in much the same way as independent VPNs such as ExpressVPN or IPVanish. According to Kaspersky, the service has more than 1,000,000 users worldwide.
If so, that is a lot of people who will be worried today, because it seems that Secure Connection is not quite as secure as Kaspersky might like you to think.
Secure Connection’s major DNS leak issue
Because Dhiraj Mishra, an online security analyst took a closer look and found that Secure Connection had a serious DNS leak issue. What that means is that details of what sites you were visiting and when were freely and publicly available.
When you connect to a VPN, everything you do online is supposed to be rerouted through that VPN’s encrypted tunnel to their external server.
This encryption stops prying eyes from being able to see what you are doing online. Once the data leaves the VPN server it should then be impossible to trace that activity back to your internet connection.
When you visit a website, your browser will look up the IP Address of that site and it will reach out to a DNS server, provided by your ISP or 4G provider. With a VPN connected, this activity should be encrypted, but with Kaspersky’s Secure Connection it wasn’t.
And because Kaspersky’s Secure Connection was failing to reroute DNS lookups through their encrypted tunnel, your DNS server would be able to log which websites you were visiting and when. What is more, they would be able to directly connect this information to your own IP Address.
In other words, Kaspersky’s Secure Connection was providing its users with anything but a secure connection. All of their internet activity was freely and openly available.
The issue is thought to have affected Version 18.104.22.168 and earlier and, after being informed of the problem by Dhiraj Mishra, Kaspersky has now fixed it.
Bad practice by Kaspersky
However, that is not the end of the story. Because, according to reports in The Register, Kaspersky has failed to reward Mishra for his help.
It is common practice for independent security analysts to seek out vulnerabilities in software and then report it to the host company in exchange for a financial reward. Mishra did exactly this, reporting the Secure Connection vulnerability to Kaspersky through their HackerOne-hosted bounty program.
However, he did this some four months ago and so far, he has not received any reward from Kaspersky for his efforts. This is considered extremely bad practice in the internet security community as it is seen to disincentivize hackers from reporting vulnerabilities found.
The reasons seem to be bureaucracy. According to the terms of the Kaspersky bug-bounty programme, they only pay out for vulnerabilities which are leaking sensitive data. And Kaspersky defines sensitive data as being things like passwords and credit card information, not IP Addresses.
That will raise eyebrows among users of their VPN service given that one of its primary purposes is to protect IP Addresses and domain-name lookups.
It will be interesting to see how many choose to switch to another VPN provider which does not contain such critical vulnerabilities and does understand the importance of keeping IP Addresses safe to their users.
What to do if you use Secure Connection
If you are a Kaspersky Secure Connection user, our initial advice is to ensure that you have updated to the latest version of their software, which has the security patch to fix this vulnerability.
But we would also suggest that you consider switching to an independent VPN which perhaps takes your online privacy a little more seriously.
Kaspersky’s reputation has taken a hammering of late, with multiple reports highlighting their close ties to the regime of Russian President Vladimir Putin.
A number of big companies have stopped using Kaspersky products, and there are even question marks over whether individuals can really trust them to keep their data safe?
In light of these latest revelations about their VPN service, now would seem like the ideal time to turn to another independent provider with no such rumours and links to authoritarian regimes hanging over their heads.