NordVPN praised its bug bounty program and said a fix was provided within two days
NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customer email addresses and other information.
The security flaw was linked to three payment platforms used by NordVPN: Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the matter, the flaw was discovered by a researcher named “dakitu” and was leaked via the popular bug bounty platform HackerOne.
The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see the email addresses, payment method and URL of the users, the product purchased, the amount paid and even the currency used in the transaction.
There is actually some unclearness about the severity of the bug, as NordVPN said in a statement today that only a handful of random email addresses – and no other customer data – could be at risk.
However, the vulnerability was discovered on December 4thth, 2019, before being fixed by NordVPN two days later. The flaw and its patch went public on the website in February, and “dakitu” received a $ 1,000 reward for his efforts.
NordVPN did not say whether it informed its customers of the vulnerability or not. In any case, the company was pleased with the result, stating that it is one of the reasons it launched its bug bounty program and that they hope to reap more benefits in the future: “We are extremely happy with its results and also encourage more researchers to analyze our product “.
In October last year, NordVPN was criticized for taking too long to assess a security breach that may have lasted since March 2018. The company argued that the long disclosure period was necessary due to the size of its audit. of the infrastructure and number of servers that the company manages to host its service.
[ad_2]Source link