hngopher.com

       [HN Gopher] NordVPN Linux does not enforce 2FA even it's enabled...
       ___________________________________________________________________
        
       NordVPN Linux does not enforce 2FA even it's enabled in user
       settings
        
       Security problem: Linux version of the NordVPN client does not
       enforce 2FA (Two factor authentication) even it is enabled in user
       settings.  After installation there the Linux NordVPN does not
       _EVER_ verify the 2FA code. This is what happens:  --- snip ---
       memyself@mylinux ~> sudo su  root@mylinux:/home/homeuser# nordvpn
       status  Status: Disconnected  root@mylinux:/home/homeuser# nordvpn
       login  Please enter your login details.  Email:
       homeuser@mailservice.org  Password: *******  Welcome to NordVPN!
       You can now connect to VPN by using 'nordvpn connect'.
       root@mylinux:/home/homeuser# nordvpn connect France  Connecting to
       France #742 (fr742.nordvpn.com)  You are connected to France #742
       (fr742.nordvpn.com)!  root@mylinux:/home/homeuser#  --- snip ---
       That log is from Linux Mint 20.2 with all the latest patches,
       kernel and latest version of NordVPN Linux (3.10.0) (normal apt
       upgrade process done for everything). Username, hostname etc. have
       been just modified for privacy purposes.  Also note note, this
       happened on the first run on that Linux computer so 2FA should've
       been enforced. But at in any point does the NordVPN client call for
       2FA token. :(  Now, a honest question:  Who does not see this as a
       potential security hole here? It's the NordVPN server who should
       ensure that not _ANY_ client can log in without correct 2FA token
       if it 's enabled. Now a Linux client can any time login if correct
       credentials are known.  It seems that the the 2FA is implemented on
       the client side completely. Which is not the correct way to do it.
       Fake spoofing NordVPN clients start to arrive which can bypass 2FA
       on any account.  Windows and Mobile NordVPN clients seem to enforce
       it, but if the 2FA verification is done on client side then the
       whole meaning is nullified.  Btw, this happened when I posted the
       above msg in r/nordvpn  FeedbackSorry, this post has been removed
       by the moderators of r/nordvpn.Moderators remove posts from feeds
       for a variety of reasons, including keeping communities safe,
       civil, and true to their purpose.  Mopping a serious problem under
       the carpet?
        
       Author : codesmith-fi
       Score  : 6 points
       Date   : 2021-09-17 22:03 UTC (58 minutes ago)
        
       | [deleted]
        
       ___________________________________________________________________
       (page generated 2021-09-17 23:02 UTC)