NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data

Friday 6th March 2020 13:34 GMT J27

Yeah...

After all of their recent security issues and their lackadaisical response, I am never going to subscribe to NordVPN. It's not like they don't have a bunch of competition.

14 1 Reply
1. Friday 6th March 2020 14:18 GMT Andy The Hat
  
  Re: Yeah...
  
  Come come. Surely any company promising secure VPN is obviously good and you should send all your secure data to them?
  
  I'm off to spread graphene on my face and bee spit on my genitals ...the products are great, I saw an ad on Facebook so they're completely legit ...
  
  14 1 Reply
  1. Friday 6th March 2020 14:29 GMT katrinab
    
    Re: Yeah...
    
    Gold bee venom mask, only £352
    
    https://shop.heavenskincare.com/index.php/gold-bee-venom-mask.html
    
    in case you thought it was a completely crazy idea that nobody would think of.
    
    8 1 Reply
    1. Friday 6th March 2020 19:43 GMT tech_is_BS
      
      Re: Yeah...
      
      Dead link, according to the website. "Offline" was returned as the cause.
      
      1 0 Reply
      1. Sunday 8th March 2020 12:01 GMT Anonymous Coward
        
        Re: Yeah...
        
        The link is working fine now. Maybe that is an item too many of El Regis readers were too much interested in.
        
        3 0 Reply
Friday 6th March 2020 15:06 GMT jaycee331

Keep calm and carry on

Still happy with Nord and their client is one of the slickest out there. But more importantly, thanks to their TV advertising campaigns they are now a household name that will be quite rightly subjected to this kind of scrutiny. I'll take that in preference over any smaller, lesser known VPN provider whose security is still hiding in the shadows.

If my account was compromised here then some lucky hacker has in their hands my false name, disposable email address (disposed) and a Bitpay/bitcoin payment receipt. #opsec

4 12 Reply
1. Friday 6th March 2020 23:14 GMT Anonymous Coward
  
  Re: Keep calm and carry on
  
  So how much does NordVPN pay these days for employees to write comments about them on Internet forums?
  
  8 0 Reply
2. Monday 9th March 2020 07:43 GMT Anonymous Coward
  
  Re: Keep calm and carry on
  
  TalkTalk are a household name...have you considered giving up your day job to talk bollocks for a living...you're wasted at work.
  
  4 0 Reply
3. Monday 9th March 2020 17:05 GMT Michael Wojcik
  
  Re: Keep calm and carry on
  
  Being subject to scrutiny is good.
  
  Failing at even the most basic secure development practices is not. This one violates at least two of the OWASP Top 10. How did it get into production? Hell, how did it come out of Development? Why are they letting developers who clearly haven't been trained in the most prominent security issues in their domain produce code in the first place?
  
  1 0 Reply
Friday 6th March 2020 15:55 GMT Anonymous Coward

A good free VPN provider alternative

http://hide.me

Just sayin'

0 3 Reply
1. Friday 6th March 2020 16:37 GMT Pascal Monett
  
  Or TunnelBear.
  
  1 4 Reply
  1. Friday 6th March 2020 18:06 GMT Anonymous Coward
    
    TunnelBear.
    
    TunnelBear? That sounds less like a VPN provider and more like a shadowy Russian hacker group ... :-)
    
    .
    
    9 1 Reply
    1. Friday 6th March 2020 21:14 GMT Anonymous Coward
      
      Re: TunnelBear.
      
      [...shadowy Russian BDSM group...]
      
      FTFY
      
      6 0 Reply
  2. Saturday 7th March 2020 18:39 GMT steviebuk
    
    You are aware TunnelBear is now owned by McAfee right?
    
    3 0 Reply
    1. Sunday 8th March 2020 09:36 GMT Korev
      
      Do you mean the PC-slowing software or the lover of "bath salts"?
      
      4 0 Reply
      1. Monday 9th March 2020 16:37 GMT katrinab
        
        The supplier of virus software
        
        2 0 Reply
      2. Wednesday 11th March 2020 10:21 GMT steviebuk
        
        The PC-Slowing Software.
        
        0 0 Reply
Friday 6th March 2020 15:56 GMT Anonymous Coward

PIA

0 2 Reply
Friday 6th March 2020 15:56 GMT Drew Scriver

If they can't even get the basics right...

If they can't even get this very basic (and visible) issue right, is it logical to trust that they're handling the more complex security requirements correctly?

Me thinks that would be wishful thinking.

6 1 Reply
Friday 6th March 2020 18:19 GMT Anonymous Coward

Suuuu-Prize!

Not surprised. When I used this one it seems it also set up a dedicated channel to ads which disappeared when I quit them. I think it would be very helpful for spooks to have an open list of Nord customers. Don't you?

1 0 Reply
Friday 6th March 2020 19:46 GMT Claptrap314

Wanna bet?

"id":42615458,"user_id":20027039

Looks like auto-incrementing integer IDs to me.

Just don't do it, kids. At best, they leak important business information. At worst, they enable exploit automation.

2 0 Reply
Saturday 7th March 2020 01:43 GMT Dave559

Strike it lucky

Have one of these for the very apt choice of article image!

(Diamond extraction via the art of penetrating security measures by drilling into an underground safe deposit vault)

0 0 Reply
Saturday 7th March 2020 23:38 GMT razorfishsl

NordVPN AGAIN.... this company is not fit for purpose......

God knows what other mistakes they are making as regards security......

3 0 Reply
Sunday 8th March 2020 21:14 GMT Anonymous Coward

snake oil

Another VPN company selling the illusion of security to the ignorant public.

4 0 Reply
Monday 9th March 2020 10:56 GMT Aussie Doc

Yeah, sure.

"This is an isolated case that potentially affected only a handful of users,..."

Yeah, nothing to see here.

This sounds like every other business with a potential or actual insecure site.

Also "Your privacy is important to us..."

3 0 Reply
Tuesday 10th March 2020 11:13 GMT randon8154

Nobody want to meet NordLynx ?

https://nordvpn.com/blog/nordlynx-protocol-wireguard/

They claim to have implemented wireguard in a safe way : by making your system run the NordLynx binary, with root permission and going against everything what wireguard is made for...

The quote :

"However, it’s not all as great as it sounds. There’s been a lot of buzz about WireGuard lately. The protocol is still under heavy development, and it’s far from perfection. Yes, WireGuard can promise better connection speeds already, but its capabilities to keep users anonymous fall behind. "

Said by deceptive, misleading rogue company... They just need to pay third party website to spam of fake good review/comment, (they are legion on Google) .

Damn them.

0 0 Reply
Thursday 17th September 2020 21:56 GMT Anonymous Coward

Paranoia

I'm just curious.. If NordVPN is such a hoax and dangerous place, where are the safe alternatives? I wonder.

For all us normal people who needs some privacy and security I dont worry. The premium VPNs do what they should. If your'e planning to blow up the White House, it may be you should not use the net at all.

In Trump land, the world of conspiracies, there's another decease spreading. Paranoia. The chinese are lurking in the background, trying to get ya! (Tik Tok, Huawei..) I would be more concerned about the NSA or the way the more and more polarized americans select their information from medias with a political agenda. Dangerous future..

0 1 Reply