So they fixed it...
... and thereby agreed it was broken and insecure, but paid out fuck all?!
Next time sell it to the black hats and fuck the vendor.
Kaspersky's Android VPN app whispered the names of websites its 1,000,000-plus users visited along with their public IP addresses to the world's DNS servers. The antivirus giant duly fixed up the blunder when a researcher reported it via the biz's bug bounty program – for which he received zero dollars and zero cents as a …
"but does that "fuck the vendor" or "fuck the users"?"
I'm sorry, but for decades the security community warns against vendors of "security in a box" like Kapersky. It's like doctors warn that homeopathy is nothing more than a placebo with a talk.
BTW this is not some sophisticated problem that's hard to exploit. Everyone already sniffing for DNS traffic wouldn't even have noticed there being a VPN anyhow. So they wouldn't have gotten anything from "Blackhacks" (I don't like those terms, it's like putting people into "good" and "evil" categories. Life is not black or white, and many people with good intentions do horrible things, see Mozilla)
Companies list what products they pay a bounty out under on Hackerone and the VPN product was not on the list. It is that simple.
There is nothing to sell black hats in this case as there is no exploit for a vulnerability. It's a data leak problem.
Kaspersky should however be ashamed of itself for supplying VPN software with DNS leak problems. They could potentially argue that the VPN is to stop encrypt your traffic to avoid it being read or modified (MITM'ed) while on public networks rather than for anonymity although I have not seen how they market the product. In this day and age though one would expect DNS traffic to be VPN'ed along with the traffic as standard for such a product.
Kaspersky was using "HotSpot Shield" for their VPN server at one time on their Desktop AV program.
I hope that isn't the case with the app.
A little off topic but I noticed that while running a quick scan of Kaspersky on a Windows machine that there were a lot of internet packets of the same size being sent out.
I made the assumption that perhaps checksums were being made of all the files on the hard drive due to the packets having the same size.
I did have the default option of sending samples back to the mothership disabled.
The packets were encrypted however and I never got around to investigating further so my assumptions could be unjustified.
Bug bounty programs are a poor solution for actual security, and thus end users. They are often used to buy silence, and can make it difficulty to report bugs where you want to retain control of the information and don’t give two hoots about the cash.
This guy let his greed get the better of him. It’s clear that Kaspersky don’t pay for this class of bug. I know of at least two other organisations that do. Not that they’d be reporting it up to Kaspersky...
Lesson for all researchers. Decide what outcome you’re interested in (securing end users, cash, fame) and send your findings to the appropriate party.
Doesn't rather depend on what the VPN product claims for itself? The app store page you link isn't specific enough to tell that.
When I've used a VPN Client, it has nothing to do with hiding my identity. It's just a means to connect to an employer's or client's network. A higher-level (and much more scary) alternative to ssh, and providing less privacy than ssh, in that it gives the relevant BOFH a lot of audit trail if I do anything so frivolous as read El Reg on $work time.
In a product aimed at the employers and clients for whom I've used one, DNS lookups outside the VPN would not be an issue at all.
Whilst I agree that the *user* of a corporate VPN might not care about DNS leakage, the corporation should.
Unnecessary information leakage is always a problem, even if it just enables social engineering attacks (eg which vendor support pages you are visiting).
As the tunnel is already there, there's really no excuse for not sending DNS queries through it.
When I use a VPN, I run these tests first to confirm my DNS queries are going only via the VPN tunnel - but I'm not a tech, so am I doing the right thing?
Also, what do you all think about Simple DNSCrypt?
So, guys want to be on bad news again. They created a buzz after being caught on collecting and sending user info to Russian FSB and following US government embargo to use. That damaged reputation and others are following US government, or at least thinking. Instead of paying something even if not legally obligated, they want the K-name to be in discussion again. However, IT/Security world is not a Hollywood. Bad reputation is really bad thing.
I would suggest researches to sell Kaspersky related bugs on open market as K-guys are really cheap and in bad shape financially. Or PR is stupid as it gets.
"Unfortunately for Mishra, this data is defined as user passwords, payment information, and authentication tokens – and not IP addresses and domain-name lookups."
Yes, this is the same problem we run into when companies start talking about "personally identifiable information" generally -- the definition of PII used by pretty much every company in existence, and the definition I have are two very different things.
In my view, PII is any information that can be used to identify you. However, companies define it as a piece of information that is listed in their pre-ordained list of specific data items, all of which omit lots of information that can be personally identifying.
This is why I simply ignore any claims made about protecting "PII", since we don't even agree on our definitions.
The security of our customers is our top priority...
Nope. This is merely the mantra that corporate droids repeat over and over in hopes that they will be believed. Publicly demonstrating that you wish to discourage research into any of your security products indicates the opposite of it being important to you. If you are actively undermining something, you cannot accurately claim to be supporting it too.