Yesterday, Reddit unearthed a slightly worrying Private Internet Access (PIA) bug. It’s unlikely to cause too much trouble for users of the popular VPN, but it does provide a cautionary tale about PIA’s developers for those in search of a VPN service. The bug temporarily reveals your PIA username and password in a plaintext (unencrypted) file. Currently, it’s been shown to affect Windows and Linux, but there are speculations that a similar programming logic could have been used in apps for other platforms as well.
It’s a bit misleading to call this “the PIA username and password leak” – to quote one of the threads, the bug “happens because there are 2 (main) processes one handling the GUI and one which handles the connection. As someone is connecting to the VPN the GUI process writes the username and password in plain text into a file called user_pass.txt in the installation folder. Then the second process is being spawned and reads from the file and deletes it. So, if you block the file from being deleted you can read the username and password in plain text.”
The PIA username and password bug is only slightly concerning because it’s only dangerous if someone has access to your hard drive to read the “user_pass.txt” file, at which point they could probably find other ways to access your PIA account as well – by using a keylogger, for example. What concerns us most about this vulnerability is its pervasiveness (because all Windows and Linux systems are affected). Combined with other unrelated vulnerabilities, this relatively benign bug could cause damage. But that’s really beside the point.
PIA is yet to comment in an official capacity, but a kind Redditor reached out to their support and came back with the following statement:
We can’t argue that the gist of what PIA is saying is true. However, it should be self-evident that saving the username and password in plaintext is just not good practice. Users expect VPNs to be highly competent in the sphere of security, but a flaw like this betrays an incorrect mindset. Those in the know will tell you that little vulnerabilities can lead to huge ones when the evil geniuses of the world want to exploit them. It’s best to cover your bases. All of them!
So, is Private Internet Access safe to use? Probably as safe as it’s ever been and this bug has changed little. It only shows something we’ve known for a long time – you’ll find better security elsewhere.