back to article Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

Kaspersky's Android VPN app whispered the names of websites its 1,000,000-plus users visited along with their public IP addresses to the world's DNS servers. The antivirus giant duly fixed up the blunder when a researcher reported it via the biz's bug bounty program – for which he received zero dollars and zero cents as a …

  1. Anonymous Coward
    Anonymous Coward

    So they fixed it...

    ... and thereby agreed it was broken and insecure, but paid out fuck all?!

    Next time sell it to the black hats and fuck the vendor.

    1. Anonymous Coward
      Anonymous Coward

      Re: sell it to the black hats and ...

      but does that "fuck the vendor" or "fuck the users"?

      1. Michael Habel

        Re: sell it to the black hats and ...

        Both but, ultimately the former.

      2. Christian Berger

        Re: sell it to the black hats and ...

        "but does that "fuck the vendor" or "fuck the users"?"

        I'm sorry, but for decades the security community warns against vendors of "security in a box" like Kapersky. It's like doctors warn that homeopathy is nothing more than a placebo with a talk.

        BTW this is not some sophisticated problem that's hard to exploit. Everyone already sniffing for DNS traffic wouldn't even have noticed there being a VPN anyhow. So they wouldn't have gotten anything from "Blackhacks" (I don't like those terms, it's like putting people into "good" and "evil" categories. Life is not black or white, and many people with good intentions do horrible things, see Mozilla)

        1. JohnFen

          Re: sell it to the black hats and ...

          This. A million times this. "Security" is not something you can achieve just by installing a piece of software or hardware, no matter what vendors claim.

    2. NonSSL-Login
      Stop

      Re: So they fixed it...

      Companies list what products they pay a bounty out under on Hackerone and the VPN product was not on the list. It is that simple.

      There is nothing to sell black hats in this case as there is no exploit for a vulnerability. It's a data leak problem.

      Kaspersky should however be ashamed of itself for supplying VPN software with DNS leak problems. They could potentially argue that the VPN is to stop encrypt your traffic to avoid it being read or modified (MITM'ed) while on public networks rather than for anonymity although I have not seen how they market the product. In this day and age though one would expect DNS traffic to be VPN'ed along with the traffic as standard for such a product.

  2. Anonymous Coward
    Anonymous Coward

    Kaspersky VPN

    Kaspersky was using "HotSpot Shield" for their VPN server at one time on their Desktop AV program.

    I hope that isn't the case with the app.

    A little off topic but I noticed that while running a quick scan of Kaspersky on a Windows machine that there were a lot of internet packets of the same size being sent out.

    I made the assumption that perhaps checksums were being made of all the files on the hard drive due to the packets having the same size.

    I did have the default option of sending samples back to the mothership disabled.

    The packets were encrypted however and I never got around to investigating further so my assumptions could be unjustified.

  3. Martin Gregorie

    Yubico later apologized, and gave the researchers credit for the discovery.

    ....but did they keep the cash?

  4. cd

    Kaspersky blew a chance for positive publicity in a community they should be supporting avidly.

  5. Anonymous Coward
    Anonymous Coward

    Who cares about fame?

    Bug bounty programs are a poor solution for actual security, and thus end users. They are often used to buy silence, and can make it difficulty to report bugs where you want to retain control of the information and don’t give two hoots about the cash.

    This guy let his greed get the better of him. It’s clear that Kaspersky don’t pay for this class of bug. I know of at least two other organisations that do. Not that they’d be reporting it up to Kaspersky...

    Lesson for all researchers. Decide what outcome you’re interested in (securing end users, cash, fame) and send your findings to the appropriate party.

    1. John H Woods Silver badge

      Re: "Decide what outcomes you're interested in"

      As a prime reason to have a personal VPN is to hide web destinations, a DNS leak pretty much renders it worthless.

      I'm very glad security researchers hold these vendors to account.

  6. Nick Kew

    Is this a bug at all?

    Doesn't rather depend on what the VPN product claims for itself? The app store page you link isn't specific enough to tell that.

    When I've used a VPN Client, it has nothing to do with hiding my identity. It's just a means to connect to an employer's or client's network. A higher-level (and much more scary) alternative to ssh, and providing less privacy than ssh, in that it gives the relevant BOFH a lot of audit trail if I do anything so frivolous as read El Reg on $work time.

    In a product aimed at the employers and clients for whom I've used one, DNS lookups outside the VPN would not be an issue at all.

    1. John H Woods Silver badge

      Re: Is this a bug at all?

      Whilst I agree that the *user* of a corporate VPN might not care about DNS leakage, the corporation should.

      Unnecessary information leakage is always a problem, even if it just enables social engineering attacks (eg which vendor support pages you are visiting).

      As the tunnel is already there, there's really no excuse for not sending DNS queries through it.

  7. glnz

    But do these tests work to check protected DNS lookups?

    When I use a VPN, I run these tests first to confirm my DNS queries are going only via the VPN tunnel - but I'm not a tech, so am I doing the right thing?

    https://www.dnsleaktest.com/

    https://ipleak.net/

    Also, what do you all think about Simple DNSCrypt?

  8. mutin

    yet another good news about Kaspersky

    So, guys want to be on bad news again. They created a buzz after being caught on collecting and sending user info to Russian FSB and following US government embargo to use. That damaged reputation and others are following US government, or at least thinking. Instead of paying something even if not legally obligated, they want the K-name to be in discussion again. However, IT/Security world is not a Hollywood. Bad reputation is really bad thing.

    I would suggest researches to sell Kaspersky related bugs on open market as K-guys are really cheap and in bad shape financially. Or PR is stupid as it gets.

  9. JohnFen

    This is an ongoing problem

    "Unfortunately for Mishra, this data is defined as user passwords, payment information, and authentication tokens – and not IP addresses and domain-name lookups."

    Yes, this is the same problem we run into when companies start talking about "personally identifiable information" generally -- the definition of PII used by pretty much every company in existence, and the definition I have are two very different things.

    In my view, PII is any information that can be used to identify you. However, companies define it as a piece of information that is listed in their pre-ordained list of specific data items, all of which omit lots of information that can be personally identifying.

    This is why I simply ignore any claims made about protecting "PII", since we don't even agree on our definitions.

  10. Robert Helpmann??
    Childcatcher

    I don't think that means what you think it means

    The security of our customers is our top priority...

    Nope. This is merely the mantra that corporate droids repeat over and over in hopes that they will be believed. Publicly demonstrating that you wish to discourage research into any of your security products indicates the opposite of it being important to you. If you are actively undermining something, you cannot accurately claim to be supporting it too.

  11. ashleytowers

    "successful in resolving 105 bugs and vulnerabilities, paying $11,700 collectively" So no one got $20k (let alone 100k), and an average of $110ish a bug...

  12. Zangetsu
    Boffin

    supercyberotters.org is amazing !!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like