Kaspersky VPN Bug Leaked DNS Lookups
13.8.18 securityweek Safety
A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.
The flaw was discovered in Kaspersky VPN version 22.214.171.124 and is believed to affect previous iterations of the Android software.
According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.
Kaspersky VPN has more than 1 million downloads in Google Play.
“I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.
The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.
As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.
Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.
On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.
“Because your location and your IP address aren't revealed through the VPN service, it's easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.
Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”
Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.
“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.