To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

A flaw found in NordVPN could have exposed payment details and email addresses

The VPN giant's vulnerability, which has since been patched, was uncovered as part of the HackerOne scheme

NordVPN is, once again, in the headlines for a security flaw that could have exposed the payment details and email addresses of its users. 

 After falling victim to a large-scale data breach in 2018, the virtual network provider became a member of the HackerOne Bug Bounty program which encourages security researchers to continuously be checking its code and systems on the hunt for flaws, or potential flaws.  

The VPN giant’s latest vulnerability, which has since been patched, was uncovered as part of this HackerOne scheme in early February and was flagged to The Register by a concerned reader. 

READ NEXT: The best VPN services of 2020

It allowed anyone to send a request to an insecure API and get access to email addresses, payment methods, URLs, currency, previous payments and their order history.

Such requests should be protected by a layer of authentication, but this flaw granted access to the information without any security checks. 

In practice, as Professor Alan Woodward of the University of Surrey who first discovered the vulnerability, it would have been difficult for this flaw to be attacked at scale because the hacker would need to know ID numbers of users to target particular people but told The Register “it’s the sort of bug that can erode trust, which is vital to VPN providers.”

NordVPN said that such discoveries are the reason why it signed up to the HackerOne Bug Bounty program in the first place and is “extremely happy with the results” because it shows the system works and flaws can be quickly patched. A spokesperson added that the vulnerability was “isolated to three small payment providers” and was only possible to exploit within a limited timeframe.

They also assured users that no data was exploited, meaning that no hackers had taken advantage of the flaw in the time before it was discovered and patched. 

Read more