Manuel Nader, an expert from Trustwave, discovered two vulnerabilities in the PureVPN client for Windows that could be exploited by a local attacker to access the stored password of the last user who successfully logged in to the PureVPN service.
The attack works against users using PureVPN client with a default installation, it is launched directly through the Graphical User Interface.
The experts tested for these flaw under the following assumptions and conditions:
Nader discovered that user password is visible in the configuration window of the PureVPN Windows client, the issue affects the version 126.96.36.199.
To access the password, the attacker just needs to open the configuration window, open the “User Profile” tab, and click on “Show Password.”
“The PureVPN Windows Client provided by PureVPN may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. Because of this, a local attacker may obtain another user’s PureVPN credentials when a Windows machine has multiple users if they have successfully logged in.” states the advisory published by Trustwave.
“The attack is done exclusively through the GUI (Graphical User Interface), there’s no need to use an external tool.”
Nader also discovered that the PureVPN client for Windows stores the login credentials in plain text in a login.conf file at the path “‘C:\ProgramData\purevpn\config\.”
The researcher discovered that any local users have permissions to read this file.
“The PureVPN Windows Client stores the Login Credentials (username and password) in plaintext. The location of such files is: ‘C:\ProgramData\purevpn\config\login.conf'” continues the advisory.
“Additionally, all local users can read this file.”
The expert notified the issues to the vendor in mid-August 2017 and a security patch addressing them was released in June 2018.
PureVPN users urge to update to version 6.1.0 or later.
“Finally, some recommendations are:
(Security Affairs – PureVPN, hacking)