“NordVPN was compromised at some point. Their (expired) private Keys have been leaked.. “ – DigitalMunition




“NordVPN was compromised at some point. Their (expired) private Keys have been leaked.. “

Home Forums “NordVPN was compromised at some point. Their (expired) private Keys have been leaked.. “

This topic contains 0 replies, has 1 voice, and was last updated by  BrianMiz 4 weeks ago.

  • Author
    Posts
  • #149144

    BrianMiz
    Member

    `OpenVPN private keys and the *.nordvpn.com TLS certificate have been leaked.`

    `This allowed* setting up a cloned website with the domain “nordvpn.com” (and any subdomain) and showing it as a “trusted” HTTPS site`

    ([https://mobile.twitter.com/korzq/status/1186114973833007104](https://mobile.twitter.com/korzq/status/1186114973833007104) (PoC))

    ……….

    [https://mobile.twitter.com/hexdefined/status/1185864801261477891](https://mobile.twitter.com/hexdefined/status/1185864801261477891) (@hexdefined)

    [https://web.archive.org/web/20191021100624/https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt](https://web.archive.org/web/20191021100624/https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt) (Hack Back)

    ……..

    ISPs can change their DNS entry to “nordvpn.com” and in this way redirect the user to another server. If that server holds the key/certs for “nordvpn.com” it will be showed as the “trusted” HTTPS site for “nordvpn.com” , hence it will impersonate “nordvpn.com”

    …………………………………

    ​

    * As korzq pointed out (Thank You korzq) the certificates are now expired.

    To show the “green lock” icon you need to change the system time…
    (which could be achieved by a time spoofing attack: https://security.stackexchange.com/questions/4981/is-ntp-vulnerable-to-dns-poisoning-or-spoofing-attacks)

    the issue stands not that much on the “exploitability” of the certificates but either on the fact that attackers gained “root access” (see Hack Back) on a NordVPN server, that the “private key + certificate” have been stored together inside a new developed server, and that it took more than 1 year for the company to acknowledge the hack.

You must be logged in to reply to this topic.