NordVPN praised its bug bounty program and said that a fix had been shipped within two days
NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customers’ email addresses and other information.
The security hole was linked to three payment platforms used by NordVPN – Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the issue, the flaw was uncovered by a researcher going by the moniker ‘dakitu’ and was disclosed via popular bug bounty platform HackerOne.
The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see users’ email addresses, payment method and URL, the product they purchased, the amount they paid for it and even the currency used in the transaction.
There is actually some unclarity as to the severity of the bug, as NordVPN said in a statement today that only a handful of random email addresses – and no other customer data – might have been at risk.
Nevertheless, the vulnerability was uncovered on December 4th, 2019, before being fixed by NordVPN two days later. The flaw and its patch were made public on the website in February and ‘dakitu’ received a bounty reward of US$1,000 for his efforts.
NordVPN didn’t say whether it had notified its ..
Support the originator by clicking the read the rest link below.
