Security Flaw Discovered in Windscribe Software for Mac

Computer app bugs caught in a net illustration

In a startling revelation, a security researcher has discovered a critical zero-day exploit in Windscribe VPN’s software, potentially affecting millions of users.

The flaw, uncovered by Gergely Kalman and published on his hack blog, claims to permit user-to-root privilege escalation due to a ‘race condition’ on macOS, with claims that similar vulnerabilities may present on Linux and Windows platforms.

Windscribe, a VPN provider with a self-proclaimed 69 million users, is known for its ‘social good’ work, providing free premium services to those in areas suffering from overbearing censorship or disasters to their failing attempts at a humorous social media presence.

However, the levity of its online interactions stands in stark contrast to the severity of the security issues found in its software.

The Discovery of the Flaw

Kalman’s research, which he detailed in a blog post, describes the exploit as “user to root LPE” (Local Privilege Escalation), where an ordinary user can gain root access, the highest level of control within the macOS system.

This level of access can potentially allow attackers to take complete control of the user’s system.

The Mac was once seen as the exploitless system as ne’er do well turned their attention to the more popular Windows systems. However, these days that is no longer the case.

According to Kalman, the root of the problem lies in the VPN’s ‘helper tool’, which runs as root and accepts commands from the desktop client.

The vulnerability specifically exploits the way the helper tool checks the sender’s PID (Process ID) and performs checks on the sender’s program path, a method that can be easily circumvented.

Technical Insight

Kalman points out that the codebase of Windscribe VPN appears to be poorly crafted, drawing comparisons to a “first C++ project” rather than a robust security product.

Hardly a glowing review.

This observation is further substantiated by examples of basic security oversights, such as improper command execution checks, making the software an easy target for exploitation.

Exploit Details

The exploit included in Kalman’s disclosure demonstrates how attackers can execute malicious payloads to escalate their privileges.

Notably, Windscribe’s process of invoking commands (like OpenVPN) in subshells is criticised for being insecure and easily manipulated by attackers.

Controversial Disclosure and Online Spat

The public disclosure of the exploit was accompanied by a public spat on X (formally Twitter) between Kalman and Yegor Sak, owner of Windscribe.

The exchange highlighted a difference in perspectives on ethical vulnerability disclosure.

Kalman argues that his approach was warranted given the potential risk to users and the alleged history of Windscribe’s poor handling of bug reports.

Sak, on the other hand, criticised Kalman’s method as “unethical” and contrary to the principles of responsible disclosure.

He also questionably referenced legal implications under Hungarian law, suggesting that Kalman’s actions could be seen as criminal, however Kalman appeared unimpressed by the threat.

Broader Implications for VPN Users

This incident serves as a stark reminder of the risks associated with using commercial VPNs.

In some credit to Windscribe it is the publishing of their source code which enables bug bounty hunter’s like Kalman the opportunity to discover such issues.

Users often install these applications hoping for enhanced security and privacy, yet as demonstrated, they may unknowingly subject their systems to greater risk.

The debate between Kalman and Sak also sheds light on the challenges and ethical considerations in the cybersecurity field, especially regarding how vulnerabilities are disclosed and handled by companies.

Windscribe’s social media presence often reads like a personal vent from Sak himself and as Kalman references in his opening paragraphs often rubs people up the wrong way.

As the VPN industry has long matured from a cottage-industry back bedroom affair to a multi-billion dollar global industry, personal venting from the likes of Sak comes across unprofessional and has all the hallmarks of someone who cannot distance himself personally from that of his product.

While Sak may have been unhappy in the way the disclosure was made, it would have been more professional to resolve issues amicably and privately.

As the dust settles on this incident, Windscribe users are advised to stay alert for updates from the company addressing these security flaws.

Meanwhile, the cybersecurity community continues to debate the best practices for ethical disclosure, balancing the need to protect users with the rights of companies to respond to and mitigate reported vulnerabilities.

It goes without saying that without heroes like Gergely Kalman these failings could be exploited by bad actors, we doff our hat to ‘Greg’.

Author: Hans Wagner

With a Computer Science degree in his toolkit, Hans is passionate about online privacy and cybersecurity. He loves breaking down complex tech topics so that everyone, from beginners to experts, can understand and benefit. He's all about empowering people to navigate the digital world safely and confidently.

Leave a Reply

Your email address will not be published. Required fields are marked *