NordVPN Patched Their Payments Flaw That Exposed Users Details


NordVPN payment systems posed a significant weakness. Exploiting the bug involved sending someone an HTTP POST request that revealed the information of NordVPN users. NordVPN Vulnerability Revealed Users’ Data NordVPN has recently fixed a significant vulnerability that could have exposed the data of the users to others.

The flaw in their payment system existed first found by a bug bounty hunter. This vulnerability was posted to NordVPN in December 2019 by a researcher with alias foobar on HackerOne. He noticed that submitting an HTTP POST request to without authentication could allow anyone to access the data from other users. It was easy to do so; the attacker could just change the numbers in the I d and user I d to get additional users information.

The said weakness received a ranking of high severity with a score of 7 to 8.9. Upon discovering the bug, NordVPN not only fixed the vulnerability but also granted a $1000 reward to the researcher.

Although it remains unclear if NordVPN informed its users of the error, they have ensured that the bug was patched. According to Jody Myers, NordVPN’s spokeswoman, to The Register,

Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party.

Many Problems Patched After NordVPN’s bug bounty service confirmed the introduction of its HackerOne bug bounty system in October 2019. The announcement came after the organization was facing criticism over a breach of security.

Since then, NordVPN’s HackerOne profile has been providing monitoring and fixing back-to-back vulnerabilities. NordVPN also patched the absence of rate-limiting on their password reset function at around the same time as that of the above-referenced IDOR. We have fixed a significant frequency bug, which breached the privacy of users, by the end of February 2020.

In specific, there was a weakness due to potential reuse of the API key that could transfer contact details to a third-party provider. NordVPN has given the researcher a $7,777 reward to illustrate the flaw. In the comments, let us know your thoughts.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.