Vulnerabilities in PureVPN Client Leak User Credentials
29.9.2018 securityweek
Vulnerebility

The PureVPN client for Windows is impacted by two vulnerabilities that result in user credential leak, a Trustwave security researcher has discovered.

The bugs, Trustwave’s Manuel Nader says, may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. The attack is performed directly through the GUI (Graphical User Interface), without the need of another tool.

For the attack to work, the PureVPN client should have a default installation, the attacker should have access to any local user account, and a user should have successfully logged in to the PureVPN using the client on a Windows machine.

When disclosing another user’s credentials in a multiuser environment, the Windows machine should have more than one user.

The security researcher discovered that, in version 5.18.2.0 of the PureVPN Windows client, the user password is revealed in the application’s configuration window.

To retrieve the password, the attacker simply needs to open the PureVPN client, access the configuration window, open the "User Profile" tab, and click on "Show Password."

The researcher also discovered that the PureVPN client for Windows stores the login credentials (username and password) in plaintext in a login.conf file located at 'C:\ProgramData\purevpn\config\. What’s more, all local users have permissions to read this file, the researcher discovered.

The issues were disclosed to the vendor in mid-August 2017. A patch was released in June 2018. PureVPN users on Windows are advised to update to version 6.1.0 or later, as this iteration removes the plaintext password vulnerability.

“The vendor has accepted the risks of the password being revealed in the client's configuration window,” Nader says.