We may earn affiliate commissions for the recommended products. Learn more.

Private Internet Access design flaw saves username and password in plaintext

pia username and password

Yesterday, Reddit unearthed a slightly worrying Private Internet Access (PIA) bug. It’s unlikely to cause too much trouble for users of the popular VPN, but it does provide a cautionary tale about PIA’s developers for those in search of a VPN service. The bug temporarily reveals your PIA username and password in a plaintext (unencrypted) file. Currently, it’s been shown to affect Windows and Linux, but there are speculations that a similar programming logic could have been used in apps for other platforms as well.

It’s a bit misleading to call this “the PIA username and password leak” – to quote one of the threads, the bug “happens because there are 2 (main) processes one handling the GUI and one which handles the connection. As someone is connecting to the VPN the GUI process writes the username and password in plain text into a file called user_pass.txt in the installation folder. Then the second process is being spawned and reads from the file and deletes it. So, if you block the file from being deleted you can read the username and password in plain text.”

concerns about vulnerability

The PIA username and password bug is only slightly concerning because it’s only dangerous if someone has access to your hard drive to read the “user_pass.txt” file, at which point they could probably find other ways to access your PIA account as well – by using a keylogger, for example. What concerns us most about this vulnerability is its pervasiveness (because all Windows and Linux systems are affected). Combined with other unrelated vulnerabilities, this relatively benign bug could cause damage. But that’s really beside the point.

PIA is yet to comment in an official capacity, but a kind Redditor reached out to their support  and came back with the following statement:

PIA sutort via twitter

We can’t argue that the gist of what PIA is saying is true. However, it should be self-evident that saving the username and password in plaintext is just not good practice. Users expect VPNs to be highly competent in the sphere of security, but a flaw like this betrays an incorrect mindset. Those in the know will tell you that little vulnerabilities can lead to huge ones when the evil geniuses of the world want to exploit them. It’s best to cover your bases. All of them!

So, is Private Internet Access safe to use? Probably as safe as it’s ever been and this bug has changed little. It only shows something we’ve known for a long time – you’ll find better security elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Rene-Pearson1789 February 13, 2019 at 9:09 pm

    I am particularly concerned about PIA username and password bug. My reason is that it could be possible for someone to access my PIA account by using keyloggers. This means the person must have gained access to my hard drive

    1. Kevin Marlowe Author March 4, 2019 at 10:44 am

      Hi Rene,

      I think you shouldn’t be as concerned. Firstly, a keylogger would let people gain access to your account regardless of the bug. Secondly, if there was a keylogger on your PC, your VPN account would be the least of your worries. Either way, PIA has since released a new client version, so you should update if you haven’t already!

  2. Tim Garrison December 23, 2018 at 1:10 pm

    What?!? The answers from the PIA doesn’t sound reassuring at all! I really expect more from such a well-known VPN. I don’t use it personally, but I know people who do. I hope they know about this incident.

    1. Kevin Marlowe Author December 27, 2018 at 11:29 am

      Yes, we should expect a higher standard from VPN services, especially ones with this many users.

Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.