Privacy News Vulnerabilities in PureVPN Client Leak User Credentials

[silversurfer]

Content source

https://www.securityweek.com/vulnerabilities-purevpn-client-leak-user-credentials

The PureVPN client for Windows is impacted by two vulnerabilities that result in user credential leak, a Trustwave security researcher has discovered.

The bugs, Trustwave’s Manuel Nader says, may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. The attack is performed directly through the GUI (Graphical User Interface), without the need of another tool.

For the attack to work, the PureVPN client should have a default installation, the attacker should have access to any local user account, and a user should have successfully logged in to the PureVPN using the client on a Windows machine.

When disclosing another user’s credentials in a multiuser environment, the Windows machine should have more than one user.

The security researcher discovered that, in version 5.18.2.0 of the PureVPN Windows client, the user password is revealed in the application’s configuration window.

To retrieve the password, the attacker simply needs to open the PureVPN client, access the configuration window, open the "User Profile" tab, and click on "Show Password."

The researcher also discovered that the PureVPN client for Windows stores the login credentials (username and password) in plaintext in a login.conf file located at 'C:\ProgramData\purevpn\config\. What’s more, all local users have permissions to read this file, the researcher discovered.

The issues were disclosed to the vendor in mid-August 2017. A patch was released in June 2018. PureVPN users on Windows are advised to update to version 6.1.0 or later, as this iteration removes the plaintext password vulnerability.

“The vendor has accepted the risks of the password being revealed in the client's configuration window,” Nader says.

 

[Ink]

The issues were disclosed to the vendor in mid-August 2017. A patch was released in June 2018.

It took 10 months to fix.

 

[spaceoctopus]

It took 10 months to fix.

Indeed, that's staggering!:notworthy:

 

[dinosaur07]

Better avoid this VPN. I use PIA. Very good english quality VPN.

 

[17410742]

Pure VPN keep logs anyway - Avoid Avoid Avoid

 

[maximus]

I use ExpressVPN and I am very pleased.

 

[Emma Parker]

Are we really qualifying this as a threat? Haven't we all seen the "show password" thing on many websites on their log in screen. Even chrome has a manage password setting where you can see saved passwords. Meanwhile as we were jumping to conclusions, the VPN provider released an official response on the matter.

"This is not a vulnerability rather a feature that we deployed for ease of our users. Back in April 2018, when Trustwave reported it to us, we assessed the risk, and found it minimally due to how our systems are designed. In order to understand this feature and why we assessed it as minimal risk, please read on:
Our systems work a bit different than most of the other VPN providers. For enhanced security, we use separate passwords for Member Area and VPN access. Member Area password which is more privileged is not shown in apps, it's the VPN access password that is the subject of this feature. Furthermore, by default, our VPN passwords are system generated and not set by users. This curtails the risk of users using the same password for VPN accounts that they use for their sensitive accounts elsewhere on the Internet. On the other hand, this enhanced security design proved a little difficult for quite a few of our users and hence we offered a way for them to easily retrieve their VPN password.
For now the community has raised concerns and is confusing it as a vulnerability, we have temporarily removed the feature and released a newer version 6.2.2. To those users of our who pretty much use this feature to retrieve the separate password for VPN we would like to inform that we plan to redesign the future, keeping these concerns in mind, and release it back in our November 2018 release.
We use BugCrowd, a public Bug Bounty Program that employees some 90,000 ethical hackers to test our product. We remain in heavy collaboration with the InfoSec community and hence have such aggressive and streamlined processes in place to have released the new version 6.2.2 within a few hours only."

 

[Ink]

Even chrome has a manage password setting where you can see saved passwords.

To view saved Chrome password (chrome://settings/passwords) on Windows, you need to verify your identify using your Windows account password, or if set-up your PIN code.

 

[Emma Parker]

What about gmail?

 

[omidomi]

lets avoid from Dirty Vpn , they keep log at all!

 

[Emma Parker]

lets avoid from Dirty Vpn , they keep log at all!

Now that is a different debate I guess because of their image people are creating fuss on this vulnerability which is not actually a vulnerability at all (for me atleast)

BTW I'm a Purevpn user and it works fine :/ [don't hate me] ;-)

 

[omidomi]

Now that is a different debate I guess because of their image people are creating fuss on this vulnerability which is not actually a vulnerability at all (for me atleast)

BTW I'm a Purevpn user and it works fine :/ [don't hate me] ;-)

Hi
my problem with Dirty Vpn start from this lies : "we keep no log" and after time they share their"No log" to FBI.
PureVPN's 'non-existent' logs used to track, arrest alleged internet stalker

so if they removed this "BIG LIE" from their "statement and change it to "We keep your Log & Share it with any one" I have no problem with them
so , also you are one "sacrifice" of their lies, why should I hate you
btw I am not enemy of you or PureVpn company I just want they do't tell lie to people!

 

[Emma Parker]

Hi
my problem with Dirty Vpn start from this lies : "we keep no log" and after time they share their"No log" to FBI.
PureVPN's 'non-existent' logs used to track, arrest alleged internet stalker

so if they removed this "BIG LIE" from their "statement and change it to "We keep your Log & Share it with any one" I have no problem with them
so , also you are one "sacrifice" of their lies, why should I hate you
btw I am not enemy of you or PureVpn company I just want they do't tell lie to people!

I read their stance as well on this issue and that make sense too. But what we will get on this debate in the end? NOTHING so better to leave it here.

 

[Eddie Morra]

Are we really qualifying this as a threat? Haven't we all seen the "show password" thing on many websites on their log in screen.

You haven't read the original article.

The PureVPN client was showing the password on the screen in plain-view after the user had already signed in. The security concern wasn't about showing the password whilst the user was signing in.

To retrieve the password, the attacker simply needs to open the PureVPN client, access the configuration window, open the "User Profile" tab, and click on "Show Password."

Unless the article is lying, what you're talking about is different to what is going on here.

 

[Emma Parker]

You haven't read the original article.

The PureVPN client was showing the password on the screen in plain-view after the user had already signed in. The security concern wasn't about showing the password whilst the user was signing in.



Unless the article is lying, what you're talking about is different to what is going on here.

Let me ask this with their support as well. I also use PureVPN. If is this the case I'll definitely not going to use

 

[Eddie Morra]

Let me ask this with their support as well. I also use PureVPN. If is this the case I'll definitely not going to use

If they respond, please let me know what they say. I don't use PureVPN and never intend to, but from what I can tell from the original article, it's about the password being "viewable" from the GUI for the currently signed in user.