A security flaw, which affected users of both NordVPN and Proton VPN have been successfully patched before details of the issue became public. And despite the headlines, it seems certain no users have been affected.
The flaw, which was identified by security researchers at Cisco Talos, would have made it possible for hackers to execute arbitrary code. It is thought to have only affected Windows users and could only have been exploited if the hacker already had access to the user’s PC.
The origins of the flaw
The initial flaw was discovered back in April and is thought to have been similar to a Windows privilege escalation security flaw revealed by VerSprite security researchers earlier in the year.
It is thought that both NordVPN and Proton VPN were affected because they use a similar interface design. The interface of both VPNs sends information about users desired connections back to the VPN using an OpenVPN configuration file.
The original flaw made it possible for hackers to create a crafted OpenVPN file containing malicious coding which could enable them to tamper with the VPN connection and possibly access sensitive user information. But to do this, they would have needed access to a user’s PC.
Both NordVPN and ProtonVPN quickly patched this issue when it was revealed back in April. However, Cisco Talos subsequently found a way to get around those patches.
Both security patches could be bypassed
These two different security vulnerabilities would both have enabled a hacker to bypass the security patch and execute arbitrary code to hijack the VPN connection as before.
Both NordVPN and ProtonVPN were informed about this new flaw before it was made public. NordVPN reacted quickly and pushed out a new security patch in August which fixed it for good.
The NordVPN patch uses an XML model to generate OpenVPN configuration files which cannot be edited by users. This makes it impossible for hackers to create fake OpenVPN files as was previously possible.
ProtonVPN was a bit slower, but they too have now issued a security update which solves the issue. Their patch simply moves OpenVPN config files to the installation directory, where standard users cannot modify it.
In both cases, correct protocols have been followed. Security researchers informed the VPN providers when the flaw was uncovered and gave adequate time for a security patch to be released before going public with their findings.
Both VPNs have also followed best practice too. They have accepted the findings of the security researchers without question and quickly issued a fix to the problems once they were identified.
A little media sensationalism
Some of the headlines regarding these flaws have been a little sensationalised, to say the least. Talk of major security flaws is stretching the boundaries of reality a little far.
It is certainly true that both VPNs did contain the security flaws discussed above. But, these were not flaws that were easy to exploit. To take advantage, a hacker would have to not only identify the flaw but also have access the PC of individual users.
There is no evidence to suggest that any users of either NordVPN or Proton VPN have had their VPN network compromised by this flaw.
Speaking to ZDNet, both VPN providers confirmed this. Marty Kamden, CEO of NordVPN stressed that, “The update has already been pushed to all of our customers as well, and none of them are vulnerable at the moment.”
He also made the point that, if a hacker had managed to gain access to a user’s PC, there are any number of security threats that are far easier to exploit than this one. It is therefore reasonable to conclude that no-one is likely to have had their VPN connection compromised by this flaw.
As public awareness of VPNs grows, it is inevitable that security flaws will generate sensationalised headlines like these.
But the reality is that a VPN is a piece of software that can contain security vulnerabilities like any other. The difference is that the best VPNs are acutely aware of the importance of dealing with these issues quickly and effectively.
All the top VPNs offer bug bounty programmes, all follow best practice when advised of flaws by security researchers (as in this case), and all push out regular updates to keep security provisions up to date.
VPN users shouldn’t be put off by headlines talking about major security flaws. Security vulnerabilities will be found. But, providing you sign up to a reputable VPN provider, you can be confident that they will be taking every possible step to keep their users safe.