Top VPN software had a major security flaw

VPN
VPN-tjänster har många olika funktioner - här är de allra viktigaste du ska kolla efter. (Image credit: Shutterstock.com)

UDPATE: NordVPN has told TechRadar Pro that the vulnerability was isolated to three small payment providers and possible to exploit only within a limited timeframe. 

"We have confirmed with our tech team that the issue was disclosed on H1 only after evaluating that no data had been exploited," a NordVPN spokesperson told us.

One of the most popular VPN services available today may have exposed customer payment information due to a significant security flaw.

Security researchers uncovered a vulnerability in the payment platform used by NordVPN, which has millions of users around the world.

The flaw could have allowed hackers access to user account information, including email addresses and shopping history, according to the team at security firm HackerOne.

NordVPN security

According to The Register, which had the flaw flagged by a concerned user, anyone making an HTTP POST request to join.nordvpn.com without any authentication would be able to access users' email addresses, payment method and URL, currency, amount paid and even which specific products they had bought.

The patched flaw was made public in early February on HackerOne's bug bounty platform, with the company saying it had contacted NordVPN about the issue.

In a statement, NordVPN said that this was "an isolated case" that potentially could only have affected a "handful of users".

The company did not confirm whether it had told customers about the flaw, but told said it appreciated the work of the HackerOne community.

"Such reports are one of the reasons why we have launched the bug bounty program," company spokeswoman Jody Myers told The Register. 

"We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party."

The company is the only major known VPN organisation to have enlisted on the HackerOne programme which pays penetration testers for finding bugs into their infrastructure, applications and apps.

NordVPN hit the headlines last October after the company was revealed to have suffered a major data breach back in March 2018, although it was able to limit the damage and the customers affected.

Via: The Register

TOPICS
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Latest in VPN Privacy & Security
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead