Friday, March 5, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

NordVPN HTTP POST bug exposed customer information, no authentication required

March 9, 2020
in Internet Security
NordVPN HTTP POST bug exposed customer information, no authentication required
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Iranian hackers have systematically abused VPN server flaws to plant backdoors
Iranian APT groups have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies.

NordVPN has plugged a hole in the company’s payment platform which leaked sensitive customer data.

You might also like

Accellion zero-day claims a new victim in cybersecurity company Qualys

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

With its acquisition of Auth0, Okta goes all in on CIAM

As reported by The Register, the vulnerability was made public on HackerOne in February, a bug bounty platform in which researchers can privately disclose security issues to vendors in return for credit and financial rewards. 

Disclosed by a researcher under the name “dakitu” and issued a “high” severity score of 7 – 8.9, the Insecure Direct Object Reference (IDOR) vulnerability could be triggered by sending an HTTP POST request to the nordvpn.com domain. 

See also: How to find the best VPN service: Your guide to staying safe on the Internet

Without any form of authentication, a request sent to the website’s API would return a string of user information. A test account was used to pingback information including email addresses, payment merchant records, URLs, products purchased, and amounts paid. 

By changing the user ID, the bug could potentially be used to view other profile information and datasets. 

A NordVPN spokeswoman told ZDNet:

“We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited. The vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe. Third-party requests to automatically generate IDs have always been rate-limited. Over the period when the vulnerability existed, our detection system did not indicate any suspicious behavior.

We are very happy about the bug bounty program. Because of it, we are able to fix issues before they can actually be exploited.” 

CNET: Best free VPNs: 5 reasons why they don’t exist

The vulnerability was patched in December and dakitu was awarded a $1,000 bug bounty. 

At the same time, a separate bug bounty was also resolved in the NordVPN platform. Researcher th3pr0xyb0y disclosed a rate-limiting issue on NordVPN’s forgotten password page, in which there was no limit in place for password requests. 

A $500 bug bounty was awarded for the second security issue. 

TechRepublic: Coronavirus: What business pros need to know

Last year, the VPN service revealed a data breach at one of its data centers, caused by a remote management system belonging to a third-party data center provider. 

NordVPN did not know it existed until a cyberattacker obtained access, but given the severity of the issue — as VPN services rely on user trust and data protection to be successful — the company immediately terminated its data center rental contract and took its business elsewhere. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

How Censorship Works In The Age Of Algorithms

Next Post

How AWS Nudged Out IBM, Google & Microsoft From The Cloud AI Space

Related Posts

Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
Internet Security

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

March 5, 2021
With its acquisition of Auth0, Okta goes all in on CIAM
Internet Security

With its acquisition of Auth0, Okta goes all in on CIAM

March 5, 2021
Singapore Airlines frequent flyer members hit in third-party data security breach
Internet Security

Singapore Airlines frequent flyer members hit in third-party data security breach

March 5, 2021
Ransomware as a service is the new big problem for business
Internet Security

Ransomware as a service is the new big problem for business

March 5, 2021
Next Post
How AWS Nudged Out IBM, Google & Microsoft From The Cloud AI Space

How AWS Nudged Out IBM, Google & Microsoft From The Cloud AI Space

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
How to Meet the Enterprise-Grade Challenge of Scaling AI 
Artificial Intelligence

How to Meet the Enterprise-Grade Challenge of Scaling AI 

March 5, 2021
Comprehensive Report on Machine Learning Market 2021 | Size, Growth, Demand, Opportunities & Forecast To 2027
Machine Learning

Comprehensive Report on Machine Learning Market 2021 | Size, Growth, Demand, Opportunities & Forecast To 2027

March 5, 2021
GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
Internet Security

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

March 5, 2021
Convergence of AI, 5G and Augmented Reality Poses New Security Risks 
Artificial Intelligence

Convergence of AI, 5G and Augmented Reality Poses New Security Risks 

March 5, 2021
2021 Gartner Magic Quadrant for Data Science and Machine Learning Platforms
Machine Learning

2021 Gartner Magic Quadrant for Data Science and Machine Learning Platforms

March 5, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Accellion zero-day claims a new victim in cybersecurity company Qualys March 5, 2021
  • How to Meet the Enterprise-Grade Challenge of Scaling AI  March 5, 2021
  • Comprehensive Report on Machine Learning Market 2021 | Size, Growth, Demand, Opportunities & Forecast To 2027 March 5, 2021
  • GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines March 5, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates