back to article NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data

A vulnerability in NordVPN's payments platform allowed anyone to view users' payment information and email addresses, a startling HackerOne entry has revealed. By simply sending an HTTP POST request without any authentication at all to join.nordvpn.com one could read off users' email addresses, payment method and URL, currency …

  1. J27

    Yeah...

    After all of their recent security issues and their lackadaisical response, I am never going to subscribe to NordVPN. It's not like they don't have a bunch of competition.

    1. Andy The Hat Silver badge

      Re: Yeah...

      Come come. Surely any company promising secure VPN is obviously good and you should send all your secure data to them?

      I'm off to spread graphene on my face and bee spit on my genitals ...the products are great, I saw an ad on Facebook so they're completely legit ...

      1. katrinab Silver badge
        Flame

        Re: Yeah...

        Gold bee venom mask, only £352

        https://shop.heavenskincare.com/index.php/gold-bee-venom-mask.html

        in case you thought it was a completely crazy idea that nobody would think of.

        1. tech_is_BS

          Re: Yeah...

          Dead link, according to the website. "Offline" was returned as the cause.

          1. Anonymous Coward
            Anonymous Coward

            Re: Yeah...

            The link is working fine now. Maybe that is an item too many of El Regis readers were too much interested in.

  2. jaycee331

    Keep calm and carry on

    Still happy with Nord and their client is one of the slickest out there. But more importantly, thanks to their TV advertising campaigns they are now a household name that will be quite rightly subjected to this kind of scrutiny. I'll take that in preference over any smaller, lesser known VPN provider whose security is still hiding in the shadows.

    If my account was compromised here then some lucky hacker has in their hands my false name, disposable email address (disposed) and a Bitpay/bitcoin payment receipt. #opsec

    1. Anonymous Coward
      Anonymous Coward

      Re: Keep calm and carry on

      So how much does NordVPN pay these days for employees to write comments about them on Internet forums?

    2. Anonymous Coward
      Anonymous Coward

      Re: Keep calm and carry on

      TalkTalk are a household name...have you considered giving up your day job to talk bollocks for a living...you're wasted at work.

    3. Michael Wojcik Silver badge

      Re: Keep calm and carry on

      Being subject to scrutiny is good.

      Failing at even the most basic secure development practices is not. This one violates at least two of the OWASP Top 10. How did it get into production? Hell, how did it come out of Development? Why are they letting developers who clearly haven't been trained in the most prominent security issues in their domain produce code in the first place?

  3. Anonymous Coward
    Anonymous Coward

    A good free VPN provider alternative

    http://hide.me

    Just sayin'

    1. Pascal Monett Silver badge

      Or TunnelBear.

      1. Anonymous Coward
        Anonymous Coward

        TunnelBear.

        TunnelBear? That sounds less like a VPN provider and more like a shadowy Russian hacker group ... :-)

        .

        1. Anonymous Coward
          Gimp

          Re: TunnelBear.

          [...shadowy Russian BDSM group...]

          FTFY

      2. steviebuk Silver badge

        You are aware TunnelBear is now owned by McAfee right?

        1. Korev Silver badge

          Do you mean the PC-slowing software or the lover of "bath salts"?

          1. katrinab Silver badge
            Flame

            The supplier of virus software

          2. steviebuk Silver badge

            The PC-Slowing Software.

  4. Anonymous Coward
  5. Drew Scriver

    If they can't even get the basics right...

    If they can't even get this very basic (and visible) issue right, is it logical to trust that they're handling the more complex security requirements correctly?

    Me thinks that would be wishful thinking.

  6. Anonymous Coward
    Anonymous Coward

    Suuuu-Prize!

    Not surprised. When I used this one it seems it also set up a dedicated channel to ads which disappeared when I quit them. I think it would be very helpful for spooks to have an open list of Nord customers. Don't you?

  7. Claptrap314 Silver badge

    Wanna bet?

    "id":42615458,"user_id":20027039

    Looks like auto-incrementing integer IDs to me.

    Just don't do it, kids. At best, they leak important business information. At worst, they enable exploit automation.

  8. Dave559
  9. razorfishsl

    NordVPN AGAIN.... this company is not fit for purpose......

    God knows what other mistakes they are making as regards security......

  10. Anonymous Coward
    Anonymous Coward

    snake oil

    Another VPN company selling the illusion of security to the ignorant public.

  11. Aussie Doc
    Coat

    Yeah, sure.

    "This is an isolated case that potentially affected only a handful of users,..."

    Yeah, nothing to see here.

    This sounds like every other business with a potential or actual insecure site.

    Also "Your privacy is important to us..."

  12. randon8154

    Nobody want to meet NordLynx ?

    https://nordvpn.com/blog/nordlynx-protocol-wireguard/

    They claim to have implemented wireguard in a safe way : by making your system run the NordLynx binary, with root permission and going against everything what wireguard is made for...

    The quote :

    "However, it’s not all as great as it sounds. There’s been a lot of buzz about WireGuard lately. The protocol is still under heavy development, and it’s far from perfection. Yes, WireGuard can promise better connection speeds already, but its capabilities to keep users anonymous fall behind. "

    Said by deceptive, misleading rogue company... They just need to pay third party website to spam of fake good review/comment, (they are legion on Google) .

    Damn them.

  13. Anonymous Coward
    Anonymous Coward

    Paranoia

    I'm just curious.. If NordVPN is such a hoax and dangerous place, where are the safe alternatives? I wonder.

    For all us normal people who needs some privacy and security I dont worry. The premium VPNs do what they should. If your'e planning to blow up the White House, it may be you should not use the net at all.

    In Trump land, the world of conspiracies, there's another decease spreading. Paranoia. The chinese are lurking in the background, trying to get ya! (Tik Tok, Huawei..) I would be more concerned about the NSA or the way the more and more polarized americans select their information from medias with a political agenda. Dangerous future..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon