NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data

A vulnerability in NordVPN's payments platform allowed anyone to view users' payment information and email addresses, a startling HackerOne entry has revealed.

By simply sending an HTTP POST request without any authentication at all to join.nordvpn.com one could read off users' email addresses, payment method and URL, currency, amount paid and even which product they bought.

The patched flaw was made public in early February on the HackerOne bug bounty platform and was forwarded to The Register by concerned reader Matt, who told us: "Note that this is regardless of whether the users had set strong passwords and otherwise wouldn't be vulnerable to credential-stuffing attacks."

When sending a straightforward HTTP POST request to the insecure API, the researcher who found the vuln received this string back:

<{"id":42615458,"user_id":20027039,"confirmation":{"id":23093398,"created_at":"2019-12-04 17:01:35","updated_at":"2019-12-04 17:01:35","type":"redirect_post","value":"{\"url\":\"https:\\\/\\\/www.coinpayments.net\\\/index.php\",\"parameters\":{\"cmd\":\"_pay\",\"reset\":1,\"email\":\"█████\",\"merchant\":\"e64a9629f9a68cdeab5d0edd21b068d3\",\"currency\":\"USD\",\"amountf\":125.64,\"item_name\":\"VPN order\",\"invoice\":\"49476958\",\"success_url\":\"https:\\\/\\\/join.nordvpn.com\\\/payments\\\/callback\\\/264cae0b89e44a7bd263431b68d1122d\",\"cancel_url\":\"https:\\\/\\\/join.nordvpn.com\\\/order\\\/error\\\/?error_alert=payment&eu=1\",\"want_shipping\":0}}"}}

By changing the "id" and "user_id" numbers, he was able to view random folks' data, as detailed on the full HackerOne entry.

Professor Alan Woodward of the University of Surrey told The Register that while the vuln was bad, it would require an extra step to enumerate user IDs before the attack would work at scale.

He said: "I assume the structure can be determined and so enumeration wouldn't be impossible, i.e. having to know the ID isn't really much protection in itself… It's the sort of bug that can erode trust, which is vital to VPN providers."

Prof Woodward added: "It was a simple POST to retrieve data that should not have been openly returned. Writing a script to enumerate the IDs and repeatedly send the POST would presumably have returned data on any of those IDs that were valid."

NordVPN told The Register it was very happy with its HackerOne membership and bug bounty scheme, while declining to say whether it had informed its customers about the vuln.

Instead, company spokeswoman Jody Myers said: "Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party."

Our reader, Matt, spotted another NordVPN disclosure from around the same time which appeared to show rate-limiting had not been implemented on its password reset page. Nonetheless, both bugs have now been patched and bounty'd.

The payment data vuln is of a class called insecure direct object reference, or IDOR. IDOR vulns are, as we reported when defunct travel agency Thomas Cook suffered one in 2018, "a common enough and basic problem on poorly-designed web applications".

Last year NordVPN came under criticism after an unknown miscreant managed to gain access to one of its servers through a remote management system. Before that, Reg readers and others observed some very strange NordVPN-connected traffic which bore some similarities to botnet command-and-control signalling. ®