NordVPN Bug Exposed Critical Customer Data With No Authentication Required

One of the world’s popular VPN services, NordVPN, has experienced a critical bug that exposed user information to hackers. The vulnerability evolved around the payment platform used by the VPN service, according to a report from the company.

Dubbed as an Insecure Direct Object Reference (IDOR) vulnerability, a hacker could leverage it by sending an HTTP POST request to the nordvpn.com domain. In return, the website’s API could return a string of user information data without any authentication.

By leveraging the bug, hackers can be able to acquire different user account information. These include email addresses, payment merchant records, URLs, specific products purchased, and amounts paid.

“We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited. The vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe,” said a company’s spokesperson.

The bug traces its way back to last year and the company issued a patch in December. The company recognized the unreliability of its detection system as “did not indicate any suspicious behavior” at the time.

The company also states that the issue was “an isolated case,” and it could potentially affect a few users.

It’s not the first time, however, that NordVPN has gained popularity in the media over security-related issues. Last year, the company revealed a data breach at one of their data centers from a third-party data center provider.

Follow us on Telegram, Twitter, Facebook or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.