Security expert discovered a bug that affects million Kaspersky VPN users

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert  that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

  1. Visit IPleak (Note your actual DNS address).
  2. Now, connect to any random virtual server using Kaspersky VPN.
  3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.

About the Author: Security Researcher

Pierluigi Paganini

(Security Affairs – Kaspersky VPN, privacy)


The post Security expert discovered a bug that affects million Kaspersky VPN users appeared first on Security Affairs.