Virtual Private Networks (or VPNs) are recommended to customers to help them protect their computer systems from threats may come from outside sources.
But if the VPNs themselves have vulnerabilities, then the situation becomes quite untenable for all stakeholders.
This is precisely what has occurred with two well-known VPN service providers, NordVPN and ProtonVPN, being found to be risky to use.
The vulnerabilities were already detected and reported to the companies before this point back in April, and both services issues a patch to address the security flaws. However, a team of cybersecurity researchers are now reporting that these flaws challenged that patch itself—claiming it is indeed possible to hack the networks even after the patch.
A fresh remedy has been sent out by the VPN firms.
OpenVPN Configuration the Culprit
The researchers working on this vulnerability in the VPN services, whether it is Nord or Proton, have found that the OpenVPN command within both these VPNs leave the door open for hackers to effect a breach.
The hackers follow the routine of code execution from their remote location, and if you have subscribed to either ProtonVPN or NordVPN, your computer is at risk of being exposed to a cyberattack.
The researchers assigned specific codes to the security flaws they detected: CVE-2018-3952 and CVE-2018-4010. As mentioned, the very same vulnerabilities were first noticed and reported to the companies in the month of April. In response, the companies had released security patches which should have taken care of the vulnerabilities.
It is not known how many subscribers to the VPN services were aware that there was a vulnerability with the software. They would have received the patches and updated the program in the normal course.
Cisco Talos Finds the Vulnerability Again
Last month, a research team at Cisco Talos did its own research and found that the patch released against the vulnerability in April has not worked after all.
They broke through the cordon with the Virtual Private Networks with the April patches installed.
They then reported back to the two companies. NordVPN reacted much faster than ProtonVPN did, but both the service providers have since issued fresh remedial updates and claim that their customers’ systems are safe now and the VPNs should pose no difficulty or risk any longer.
Both Appreciate the Work by the Researchers
Following the issue of vulnerabilities in their VPN services being exposed in the media and in online forums, NordVPN and ProtonVPN both reacted and issued statements.
They at least admitted that they had indeed overlooked the security flaws, but they didn’t assign too much significance to the episodes.
Their contention was that to err is human and that they appreciate the work done by private and independent cybersecurity researchers.
A NordVPN press release noted that the firm is pleased to work with the researchers and would continue to do so in future.
There are a few more aspects to be understood while discussing this issue with regard to the vulnerabilities found on VPN services.
One is that devices running on Mac OS or even Linux did not face this vulnerability issue with both ProtonVPN and NordVPN.
It is only the Windows systems that were at risk. Maybe there is something here for Microsoft to study and rectify too.
The other factor is that there is no confirmation that all other VPNs are safe and have no similar vulnerabilities. Only these two were tested at this juncture.
Finally, one can concede that vulnerabilities are not new or avoidable. And there is no way one can stop an unscrupulous hacker from exploiting the vulnerabilities either.
But as long as a healthy system exists where those involved in testing these programs and informing the companies first and giving them the time to come up with the remedy, then customers are more protected.
Ultimately, the end users of these programs are the ones that drive the business forward.