Security researchers from Trustwave have discovered security flaws in Pure VPN’s stored password function, saying the software developers have chosen to accept certain risks in the way they have developed the software.
In an article attributed to researcher Manuel Nader, Trustwave has found PureVPN has two significant vulnerabilities. One was rectified by PureVPN’s developers but the other remains.
The PureVPN Windows Client allows a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. And the attacker could obtain another user’s PureVPN credentials when a Windows machine has multiple users if they have successfully logged in. The attack doesn’t need any special tools as it can be done through the GUI (Graphical User Interface).
All the attacker needs to do is open the PureVPN configuration and go to the “User Profile” tab. When they click on “Show Password”, they will have access to the user credentials.
This is especially troublesome if the user refuses the same password in other applications and services. However, Pure VPN’s developers have chosen to accept the risks associated with this.
The second flaw identified by Trustwave has been rectified. It involves the plaintext storage of PureVPN credentials. The file stored at ‘C:\ProgramData\purevpn\config\login.conf’ can be read by anyone using the computer. Fortunately, this has been fixed in a recent release.
The usual advice applies when it comes to ensuring your apps are as secure as possible. Keep them up to date and don’t re-use passwords. Where possible, use two-factor authentication so a compromised password doesn’t result in a major breach.