The vulnerability, tracked as CVE-2020-25744, was first disclosed to the company at the beginning of September by a security researcher who goes by the handle mmht3t. However, as SaferVPN silently fixed the bug with the release of version 220.127.116.11 of its VPN client, mmht3t has gone ahead and publicly disclosed the vulnerability in a recent post on Medium.
Versions of the company’s VPN software before 18.104.22.168 contain a vulnerability that could allow low-privileged users to create or overwrite arbitrary files which could be exploited to launch DoS attacks.
According to mmht3t, SaferVPN users have full control over the VPN software’s log folder and they can delete all of the files contained within it and create a symbolic link pointing to a high privileged file such as c:\Windows\win.ini on their Windows PC. If a user does this, the contents of the log file will be overwritten on the high privileged file.
Lack of recognition
What makes this particularly vulnerability disclosure so interesting is the fact that mmht3t responsibly disclosed the bug he found to SaferVPN and was not credited for his discovery.
VPN providers and other companies often create their own bug bounty programs or use platforms like HackerOne to do so. This allows security researchers to get paid for the bugs they find while also helping them to improve their software.
After discovering the bug in SaferVPN’s Windows client, mmht3t emailed the company to inform them of the situation and then sent details about the vulnerability when requested. However, he then tried to follow up with the company twice and they did not respond on both occasions. Instead SaferVPN quietly patched the bug with the release of version 22.214.171.124 of its VPN client. It was then that mmht3t decided to publicly disclose the bug which led to the vulnerability being assigned a CVE.
TechRadar Pro has reached out to SaferVPN in regard to the matter but we’ve yet to hear back at the time of writing.
- We’ve also highlighted the best VPN services