Security News > 2020 > March > NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data

NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data
2020-03-06 13:21

The patched flaw was made public in early February on the HackerOne bug bounty platform and was forwarded to The Register by concerned reader Matt, who told us: "Note that this is regardless of whether the users had set strong passwords and otherwise wouldn't be vulnerable to credential-stuffing attacks."

Professor Alan Woodward of the University of Surrey told The Register that while the vuln was bad, it would require an extra step to enumerate user IDs before the attack would work at scale.

Writing a script to enumerate the IDs and repeatedly send the POST would presumably have returned data on any of those IDs that were valid.

NordVPN told The Register it was very happy with its HackerOne membership and bug bounty scheme, while declining to say whether it had informed its customers about the vuln.

The payment data vuln is of a class called insecure direct object reference, or IDOR. IDOR vulns are, as we reported when defunct travel agency Thomas Cook suffered one in 2018, "a common enough and basic problem on poorly-designed web applications".


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/