Manuel Nader, an expert from Trustwave, discovered two vulnerabilities in the PureVPN client for Windows that could be exploited by a local attacker to access the stored password of the last user who successfully logged in to the PureVPN service.
The attack works against users using PureVPN client with a default installation, it is launched directly through the Graphical User Interface.
The experts tested for these flaw under the following assumptions and conditions:
Nader discovered that user password is visible in the configuration window of the PureVPN Windows client, the issue affects the version 220.127.116.11.
To access the password, the attacker just needs to open the configuration window, open the “User Profile” tab, and click on “Show Password.”
“The PureVPN Windows Client provided by PureVPN may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. Because of this, a local attacker may obtain another user’s PureVPN credentials when a Windows machine has multiple users if they have successfully logged in.” states the advisory published by Trustwave.
“The attack is done exclusively through the GUI (Graphical User Interface), there’s no need to use an external tool.”
Nader also discovered that the PureVPN client for Windows stores the login credentials in plain text in a login.conf file at the path “‘C:\ProgramData\purevpn\config\.”
The researcher discovered that any local users have permissions to read this file.
“The PureVPN Windows Client stores the Login Credentials (username and password) in plaintext. The location of such files is: ‘C:\ProgramData\purevpn\config\login.conf'” continues the advisory.
“Additionally, all local users can read this file.”
The expert notified the issues to the vendor in mid-August 2017 and a security patch addressing them was released in June 2018.
PureVPN users urge to update to version 6.1.0 or later.
“Finally, some recommendations are:
(Security Affairs – PureVPN, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.