Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

DNS leak flaws are outside of bug-bounty scope


Updated Kaspersky's Android VPN app whispered the names of websites its 1,000,000-plus users visited along with their public IP addresses to the world's DNS servers.

The antivirus giant duly fixed up the blunder when a researcher reported it via the biz's bug bounty program – for which he received zero dollars and zero cents as a reward.

Version 1.4.0.216 and earlier of the "Kaspersky VPN – Secure Connection" tool did not route DNS lookups through the secure tunnel. That means if you were using the VPN software to hide your public IP address, and thus clues to your identity, from the public internet, well, it let you down.

Whenever you would visit a website, say, supercyberotters.org, from your device with Kaspersky's VPN enabled, and your browser needed to look up the IP address of the domain name, it would reach out to a DNS server, such as one provided by your Wi-Fi, your cellular network, or yourself. That lookup would not be run through the VPN tunnel, though, so the DNS service would be able to log the domain names of the sites you were visiting, and when, against your public IP address.

Really, the DNS lookups should have been routed through the secure VPN tunnel, along with your connections to the websites – and the app was fixed in 1.4.0.453 and later, released before the end June, according to messages sent by Kaspersky Lab staff that we've seen. Thus, make sure you're running the latest build.

Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses

READ MORE

Dhiraj Mishra, who reported the flaw in April, via Kaspersky's HackerOne-hosted bounty program, claims he still has not received a dime.

Judging from conversations between Mishra and Kaspersky Lab staffers, seen by The Register this week, the Russian software giant decided to give him extra HackerOne reputation points, and declined to hand over cold coin.

"I believe this vulnerability leaks traces of a user who wants to remain anonymous on the internet," Mishra told El Reg in an email on Thursday. "I reported this vulnerability on April 21, four months ago, via HackerOne, and a fix was pushed out but no bounty was awarded."

And we can see why, unfortunately: according to the rules of the bug bounty, you can land up to $10,000 for finding a flaw that leaks sensitive data. Unfortunately for Mishra, this data is defined as user passwords, payment information, and authentication tokens – and not IP addresses and domain-name lookups. Even though a VPN toolkit like Kaspersky Lab's is supposed to shield people's IP addresses and domain-name lookups.

A spokesperson for Kaspersky Lab said she was unable to comment when we contacted the organization.

The Russian security house wouldn't be the first biz to be accused of short-changing security researchers regarding vulnerability disclosures. In June, a pair of experts put multi-factor-token maker Yubico on blast after the vendor used their WebUSB security bug report to claim a bounty for itself from Google.

Yubico later apologized, and gave the researchers credit for the discovery. ®

Updated to add

A spokesperson for Kaspersky Lab has been in touch to say the VPN tool is completely outside the scope of the bug bounty:

Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.

The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe.

The security of our customers is our top priority, which is why we always take independent research very seriously. Kaspersky Lab launched the Bug Bounty Program in partnership with HackerOne back in August 2016 and since that time, we have been successful in resolving 105 bugs and vulnerabilities, paying $11,700 collectively to the researchers who discovered them.


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading

Biting the hand that feeds IT © 1998–2022