Showing posts with label DNS Leak. Show all posts
Showing posts with label DNS Leak. Show all posts

Thursday 9 August 2018

A bug that affects million users - Kaspersky VPN

Hi Internet,

The issue exists in Kaspersky VPN <=v1.4.0.216  which leaks your DNS Address even after you're connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks ?
In this context, with "DNS leak" it means an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in android market, however it was observed that when it connects to any random virtual server still leaks your actual DNS address, this issue was reported too Kaspersky via Hackerone.

Steps to reproduce:
1. Visit IPleak (Note your actual DNS address).
2. Now, connect to any random virtual server using Kaspersky VPN.
3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

I believe this leaks the trace's of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.

“Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.

The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhiraj under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe."

However, this was featured on TheRegister and BleepingComputer.