NordVPN fixed two critical vulnerabilities last month, which were discovered in the “HackerOne” bug bounty hunters platform. According to what was made known, anyone could send an HTTP POST request to “join.nordvpn.com” to essentially read the email addresses and payment method of other users without having to go through any authentication. Other details exposed in this way are the currencies used, the payment URL, the amount, and which product they bought. This vulnerability doesn’t have to do anything with the user password and how strong it may be, as this is overridden entirely.
One thing to note is that the HTTP POST requests turn back the “user_id” numbers so a potential hacker would have to perform ID enumeration. It would be possible for someone to write a script to enumerate IDs and send multiple POSTS to find out any valid IDs. This would be an arduous process, but still possible. The researcher who discovered this received a bounty of $1000, while the bug has been fully fixed since December 2019.
The second bug that had a payout of $500 and was disclosed around the same time, concerns a bug in the password resetting system of the platform. More specifically, the system has no rate limit and thus can be used to loop through one request. This would cause “mass mailing/bombing” to the holder of the account. In the case of a business, this flaw could potentially introduce a significant interruption. NordVPN fixed this in December 2019, so if someone tries to generate too many requests they will now get a “status code 429” response.
NordVPN’s Jody Myers has made the following statement about the above flaws on The Register:
“Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party.”
Despite of what has happened to NordVPN with its data centers back in October 2019, and the subsequent credential stuffing attacks that hit two thousand of its users, the particular VPN product remains a trustworthy and reliable choice in the field. It is regularly being reviewed by penetration testing auditors and scrutinized by bug bounty hunters like those active in HackerOne. Flaws are always there, so finding and fixing them is where the focus should be, and NordVPN seems to be acting responsibly on that part.