So you’re thinking about trying out NordVPN, the popular VPN service that allows you to do all kinds of weird stuff like watch TV while on the go or change your location without having to log out of your account. Sounds good, right?
Well, maybe not so much. Because although it’s very easy to use, the service does have some significant flaws that could expose your personal information if you aren’t careful.
Here’s a breakdown of what you need to know about NordVPN so you can proceed with caution.
NordVPN has repeatedly been the target of security researchers, who have uncovered numerous vulnerabilities in the service.
In July 2018, the company patched a critical Remote Code Execution (RCE) flaw in all of its desktop VPN clients. In August, it issued an emergency security update to patch a critical Remote File Inclusion (RFI) flaw.
Then, in September, the company released a statement saying that it had discovered a critical Vulnerabilities in the TLS (Transport Layer Security) protocol. That same month, VPN provider Private Internet Access (PIA) warned its users of the same vulnerability. And in October, the company released an emergency security update to patch a critical Heartbeat attack vulnerability. Last but not least, in November, NordVPN said that it had fixed a critical XSS (Cross Site Scripting) flaw in all of its desktop VPN clients.
While most of these vulnerabilities would allow an attacker to remotely access your device and any connected devices as part of your account, the critical ones could have allowed an attacker to take full control of your device. And if that’s the case, then it would have been a matter of time before they found a way to monetize your information.
You may be wondering if there’s any way to recover your personal information if it was ever stolen from NordVPN. To answer that question, let’s take a quick look at the type of data that could be compromised.
If you’re a user of the desktop version of NordVPN, then all of the data on your device (like your username, email address, and hashed passwords for logging in) are stored in plaintext on the hard drive. Meaning that if you lose your device or it breaks down, you’re pretty much hosed. If you want to recover your data, then you’re going to have to set up a new device or pay for an entire data wipe to be done.
If you’re a mobile user of NordVPN, then apart from your personal data, you’re going to lose all of the configuration settings for the app as well as any logs that it might have stored. While some configuration data is stored in the cloud, you have no control over how secure that data is and whether or not you can truly delete it if you ever need to. As for the logs, they’re stored on the device itself, so if it gets lost or damaged, you’re pretty much hosed as well.
You may also be wondering if there’s any way to steal someone else’s account and use it to login to NordVPN. Fortunately, this is something that the company has prevented with two-factor authentication (2FA). However, if you disable 2FA, then it’s easy enough for an attacker to perform account cloning (or ‘password spraying’, as it’s sometimes called) and gain full access to your network.
To perform account cloning, an attacker would simply need your login credentials and the IP address of the device that you’re using. Then, they could use automated tools like Hydra or Hashcat to find the correct credentials for your account (making use of any weak passwords that you might have used). Once they have your login details, they can set up a new account with a VPN and gain complete control over your network traffic. Just remember that this can also be used to spy on your network activity or gain access to any other site or service that you might be using that is connected to the same IP address as your NordVPN account.
Finally, we come to the part of the article that you may have been waiting for: whether or not it’s safe to log in to NordVPN. Let’s take a quick look at what’s going on behind the scenes when you try to log in to NordVPN and how to avoid becoming a victim of identity theft.
When you try to log in to NordVPN, it’s going to ask for your username and password. But instead of directing you to the login page for the company, it will simply redirect you to the login page for a free VPN service called PureVPN. So if you want to log in to NordVPN, then you’re going to have to do so through PureVPN first.
If you try to log in to the free VPN service incorrectly using the wrong credentials, then it will immediately redirect you to the login page for the premium account that you’re trying to avoid. So it’s best to avoid logging in to any free VPN service using your credentials from a different service. In that case, you’ll have to wait a while before you can get back to where you were before you tried to log in to NordVPN on the phone. And when you do get back there, you’re probably going to have to start all of your applications and services from scratch in order to get back to where you were before you tried to log in to the free VPN service.
So in a nutshell, the short answer is: it’s not safe to log in to NordVPN using the web browser that you previously used to log in to a free VPN service. And the longer answer is that although it’s very convenient to use services like NordVPN that let you do all of this from the convenience of your mobile phone, it’s not a good idea to do so if you’re not prepared to take the occasional risk. It’s always better to use a dedicated app for VPN and keep your web browser open to only the sites that you need to visit.
Hopefully, this article has answered all of your questions about NordVPN and given you a better understanding of what to watch out for. It’s always a good idea to use a VPN like NordVPN on a mobile device, but you have to be smart about what you’re doing. If you want to keep your personal information secure, then you should be using a VPN that is committed to always keeping your data safe and private, and not a ‘free’ VPN that might have some minor security flaws in its code. If you’d like to stay up to date on the latest news related to cyber security, then be sure to subscribe to our blog so that you never miss a post.