UPDATE 10/15: SaferVPN have contacted us to inform that they have removed Google Analytics from their app.safervpn.com subdomain and are working to completely remove email addresses from their URLs.
UPDATE 10/16: SaferVPN release a statement about their password policy – read more below.
UPDATE 10/17: Having conducted our own investigation, we are happy with the explanation given by SaferVPN CEO Amit Bareket. Read more below.
We‘re not ashamed to admit that we have lots of VPN subscriptions here at VPNpro.com. The clue was always in the name, anyway.
Well, today one of these accounts encountered a problem. SaferVPN sent us an email to say that our user had been locked because they had changed their password policy and it so happened that our password didn‘t meet the new requirements. Apparently, the reason for this policy change was the massive Facebook breach, which you can read more about here.
At first, we didn‘t think anything of it – just a minor nuisance, nothing to whine about. But, suddenly, the realization struck us:
How do they know our password doesn‘t meet their requirements?
After all, passwords are usually kept as hashes – fixed-length strings of ciphertext. There is no way to look at a hash and tell what the password parameters are without decrypting the string. Might it be that SaferVPN are storing all user passwords in plaintext? If so, we‘re not fans of this practice and that‘s putting it mildly.
UPDATE 10/16: SaferVPN release a statement about their password policy
Yesterday, SaferVPN made a blog post explaining their password policy change and its consequences. It reiterates what was said in the email:
Some user accounts have passwords that already meet our new security standards. Other user accounts are temporarily locked until users choose a new, stronger password.
This statement confirms our understanding of the situation and leaves the same question – how were they able to determine which accounts have adequate passwords and which ones do not?
UPDATE 10/17: SaferVPN CEO offers an answer to our password questions
Over the past couple of days, we have been in contact with SaferVPN CEO Amit Bareket, who has offered us the following explanation:
We validate the user password upon login, so if it is not matching the password requirements then we ask to choose for a stronger password (using the user input, which we DO NOT STORE at any given time).
At first, we were skeptical of this explanation, because to our knowledge the account in question had been unused for a while, so the email seemed to have come out of the blue. Additionally, the language in the email and the statement suggested, that SaferVPN has looked through the passwords and blocked the accounts whose password strength didn’t meet requirements.
However, upon investigating some more using several other SaferVPN accounts we were able to confirm that the explanation given by SaferVPN is correct. In short, the VPN service provider learns your account password strength during a login attempt (or 5 unsuccessful login attempts). This is what triggers the email that we received.
We must thank SaferVPN for their cooperation and patience in solving this matter!
Your SaferVPN username on Google Analytics?
As you can see in the screenshot, the URL for resetting your password includes our SaferVPN username (which also happens to be your email).
If you follow the link to the page, you may notice – as we did – that it has a Google Analytics tracker on it. In other words, your SaferVPN username goes straight to Google Analytics.
Technically, this means that anyone with access to the SaferVPN GA account can export a list of email addresses used to sign up for the VPN service, opening a serious can of worms in the process. Who has access to SaferVPN‘s GA account? Do third-party online marketing agencies have access to it? And even if they don‘t, their own marketing director surely does. That‘s already more than VPN users should be comfortable with.
Another thing to note:
As per the Terms of Service of Google Analytics, users are not allowed to pass personally identifiable information to Google. SaferVPN seems to be in violation of this rule.
You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information.
UPDATE 10/15: SaferVPN confirms issues with their URLs
We have received confirmation from SaferVPN that they have removed Google Analytics from their app.safervpn.com subdomain. In addition, they are working to remove usernames/email addresses from all of their URLs. More power to them!
Conclusion: how bad are we talking?
After a back and forth with SaferVPN that lasted several days, we have reached the following conclusions:
- The password issue is a communication issue, rather than a security issue. Password strength is determined at the time of input, rather than by looking at a plaintext database.
- SaferVPN have acknowledged that including the username (email address) in URLs is a bad practice. They are fixing it as we speak.
We thank SaferVPN for taking the time to clear things up and improve their services!