One of the most popular VPN services available today may have disclosed customer payment information due to a major security breach. Security researchers have discovered a vulnerability in the payment platform used by NordVPN, which has millions of users around the world. The flaw could have allowed hackers to access user account information, including email addresses and purchase history, according to the team at security company HackerOne.
NordVPNSecurity
According to The Register, which had the flaw reported by a user in question, anyone making an HTTP POST request to join .nordvpn.com without any authentication will be able to access users' email addresses, payment method, and the URL, the currency, the amount paid, and even what specific products they had purchased. The fixed bug was made public in early February on the HackerOne bugbeat platform, and the company said it contacted NordVPN about the issue. In a statement, NordVPN said it was "an isolated case" that could only have affected "a handful of users." The company did not confirm whether it had informed customers of the flaw, but said it appreciated the work of the HackerOne community. "Such reports are one of the reasons we launched the bug bonus program," company spokesperson Jody Myers told The Register. "We are extremely pleased with the results and encourage more researchers to review our product. This is an isolated case that only affected a handful of users due to rate limiting. Theoretically only email addresses could have been seen by a third ". The company is the only known large VPN organization to have signed up for the HackerOne program, which pays penetration testers to find bugs in its infrastructure, apps, and apps. NordVPN made headlines last October after the company revealed that it had suffered a major data breach in March 2018, though it was able to limit the damage and customers involved. Via: the registry