SaferVPN silently fixed a DoS vulnerability

News
By published

Vulnerability was patched with the release of SaferVPN version 5.0.3.3

VPN
VPN-tjänster har många olika funktioner - här är de allra viktigaste du ska kolla efter. (Image credit: Shutterstock.com)

The VPN provider SaferVPN has patched a denial of service (DoS) vulnerability in its software after a bug was discovered by a security researcher.

The vulnerability, tracked as CVE-2020-25744, was first disclosed to the company at the beginning of September by a security researcher who goes by the handle mmht3t. However, as SaferVPN silently fixed the bug with the release of version 5.0.3.3 of its VPN client, mmht3t has gone ahead and publicly disclosed the vulnerability in a recent post on Medium.

Versions of the company's VPN software before 5.0.3.3 contain a vulnerability that could allow low-privileged users to create or overwrite arbitrary files which could be exploited to launch DoS attacks.

According to mmht3t, SaferVPN users have full control over the VPN software's log folder and they can delete all of the files contained within it and create a symbolic link pointing to a high privileged file such as c:\Windows\win.ini on their Windows PC. If a user does this, the contents of the log file will be overwritten on the high privileged file.

Lack of recognition

What makes this particularly vulnerability disclosure so interesting is the fact that mmht3t responsibly disclosed the bug he found to SaferVPN and was not credited for his discovery.

VPN providers and other companies often create their own bug bounty programs or use platforms like HackerOne to do so. This allows security researchers to get paid for the bugs they find while also helping them to improve their software.

After discovering the bug in SaferVPN's Windows client, mmht3t emailed the company to inform them of the situation and then sent details about the vulnerability when requested. However, he then tried to follow up with the company twice and they did not respond on both occasions. Instead SaferVPN quietly patched the bug with the release of  version 5.0.3.3 of its VPN client. It was then that mmht3t decided to publicly disclose the bug which led to the vulnerability being assigned a CVE.

TechRadar Pro has reached out to SaferVPN in regard to the matter but we've yet to hear back at the time of writing.

  • We've also highlighted the best VPN services
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
More about vpn privacy security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background

How to check if your VPN is working
Surface Laptop 7

Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
See more latest
Most Popular
Surface Laptop 7
Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
vector isometric illustration of a handheld gaming console
SteamOS is about to change handheld gaming PCs as HP finally considers ditching Windows 11
Oracle
Oracle denies data breach after hacker claims to hold six million records
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De'Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party