A simple trick to get data
A security researcher named dakitu, who discovered and formally disclosed this bug to NordVPN, has received a bounty of $1,000. He named this as Insecure Direct Object Reference (IDOR) vulnerability and gave a severity score of 7-8.9. What he did was quite simple, as even a normie could breach it if existed now. dakitu sent a request as an HTTP POST to NordVPN’s domain, which triggered the flaw and retrieved user information. The data returned by the bug isn’t that sensitive, but exploitable. The information contained User ID, email address, payment URL and method, the total amount paid and the type of product purchased. This may harm users if properly exploited. Further, a change in ID and User ID could let anyone access the information records of other users too! The platform has already faced a breach in one of its data centers last year, caused due to a third party’s fault of the remote management system. And now, the leakage of email addresses with payment information is yet another hit. It’s unsure of NordVPN informing its customers about this vulnerability, as it’s said to be declining this question when asked by The Register. Maybe, it didn’t felt that important as it hadn’t found any exploitations yet. Aside from this HTTP POST bug, a contemporary bug was discovered in the password resetting feature too. This disclosure exposed there’s no rate-limit set for the number of times a password can be reset on the forgotten password page. This, along with the HTTP POST bug was resolved now. Via: HackerOne, The Register
