In early February, the HackerOne bug bounty platform revealed that NordVPN had recently patched a vulnerability in its payments platform that potentially put user’s data in jeopardy.
HackerOne is a platform that allows ethical hackers to post flaws and vulnerabilities that they discover online and request rewards from the companies involved.
NordVPN’s payment flaw
This particular flaw was a relatively simple one. It was discovered by a hacker called Dakitu on December 5th last year.
Dakitu found that by simply sending an HTTP POST request without any authentication at all to join.nordvpn.com, it was possible to view the email addresses, URL, payment method, amount paid, and which product or package a user bought.
The HTTP POST would receive a string of code back that included the id and user_id numbers of subscribers. By changing these numbers, it was possible to view the details of different NordVPN customers.
This means that it would have been possible to seek out individual NordVPN subscriber details although, as cyber-security expert Professor Alan Woodward told The Register, “it would require an extra step to enumerate user IDs before the attack would work at scale.” He did, however, add that this was technically possible.
Did NordVPN react to this flaw properly?
This is “the sort of bug that can erode trust, which is vital to VPNs”, Professor Woodward added. He is absolutely right. The whole VPN customer model is built on subscribers trusting VPN providers to handle their data securely and privately.
So, how did NordVPN deal with this situation?
NordVPN appears to have responded to the flaw within two days which we can assume means it was patched in that time-frame or shortly after. NordVPN also paid the hacker in question a US$1,000 reward in line with the HackerOne bug bounty programme.
But it does not appear to have gone public about the vulnerability and there is no evidence that it has approached users who may have been affected by the flaw to inform them.
This is not the level of transparency we would usually hope to see from a premium VPN like NordVPN. That’s certainly the implications of the Register’s very hostile article.
But maybe they are turning it on a bit thick. NordVPN spokesperson Judy Myers told the Register, “This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting,” before adding, “Theoretically, only email addresses could have been seen by a third party.”
She also pointed out that it was discoveries like this which were the reason NordVPN signed up with HackerOne and other such bug bounty programmes in the first place.
“Such reports are one of the reasons why we have launched the bug bounty program,” she explained. “We are extremely happy with its results and encourage even more researchers to analyze our product.”
It is not the only HackerOne case involving NordVPN which they have paid out on either. Around the same time, another hacker noticed that there was no rate limit on the forgot password page of their website. NordVPN paid out on this issue too.
Should NordVPN users be worried?
It is, of course, concerning when subscribers to a VPN read about vulnerabilities that could potentially put their privacy and security at risk. Their concerns understandably grow when they read about such things from a third-party source.
But it is important to put vulnerabilities like this in context. NordVPN’s platforms will contain thousands of lines of code and there are inevitably going to be a few vulnerabilities in there. All code has some flaws in it.
What is important is that companies do all they can to ensure that these flaws are found and fixed before hackers can exploit them. That is precisely what bug bounty programmes like HackerOne were set up for and why NordVPN signed up with them in the first place.
What this case shows is a system that is working. It also shows NordVPN reacting quickly and decisively when flaws are found.
The question of whether they should be more transparent about these flaws is less clear. We would argue that they should as the more transparent they are, the more confident customers will have in them.
But we understand why they aren’t. If they report a new flaw every few weeks, the uninitiated will think there are major issues with their platform and this isn’t the case. They are also adamant that these flaws were minor and very few customers were affected.
For now, we would advise customers to take NordVPN at their word. There is certainly no evidence that either of these vulnerabilities has been exploited by hackers and that any NordVPN user data has been compromised.
But we would also encourage NordVPN to think about how it can better communicate with its users about these issues to stop them having to read scary stories like this one and fearing the worst unnecessarily.