3 scary tools that use Shodan search engine 3 ways to become root by exploiting the .bashrc file A hidden web shell in the plug-in wireless Planex MZK-DP150N | CVE-2021-37289 Are professional hackers also excellent magicians? Bob’s Cap - CTF Challenge Build your own WiFi Pineapple Tetra for $7. Crack Me 1 - CTF Challenge Crack Me 2 - CTF Challenge CTF Flag Mart - CTF Challenge Damn Cheap Cipher 2 - CTF Challenge Emoji - CTF Challenge Flask Task - CTF Challenge Hacker Kombat (THE GAME) - CTF Challenge Hackermon - CTF Challenge I Love Listings - CTF Challenge JabberJaw - Convert your router in portable network attack device. Not So Simple Cipher - CTF Challenge Pug a Plenty - CTF Challenge Secure any URL or Qr Code with a password! Simple Cipher - CTF Challenge Triva Unsecured - CTF Challenge VPN Ivacy, insecure design vulnerability discovered. Zipper - CTF Challenge

Ivacy  - The most secure VPN?

Few weeks ago, having finally got a real internet connection at home (no more pocket WiFi!), I started looking for a VPN provider to fully enjoy Netflix. In the same time, lucky as I am (or not), one of the blogs that's I often visit for my technology watch was advertising a VPN that I never heard before called Ivacy. The first thing that caught my attention was the price, Ivacy offers more than 200 VPN servers all over the world for only 0,9$ per month.

What a deal!?

After a visit on their website, everything seems to be serious, the web interface is pretty clear and well presented, the reviews of other websites seems to say only good things about it... Alright, I took the plunge and get the 5 years subscription offer.

Very exited to install Ivacy on my new and fresh router with the latest version of OpenWrt on it. But unfortunately for me, problems started here and nothing was working...

At first I thought it was a bad configuration of the router from my side. So to make sure about it I've downloaded the Ivacy Android App to check, but the result was the same, I couldn't connect at all... Well, I went back to my account on member area to search for more information but nothing.

My last solution, the Ivacy customer service. But before, Without really knowing why, I decided to open the web console to check what's going on between the application and the API, probably a habit of developer :)

And here is the first request that I found:

When we look this request closer we can notice immediately the client ID but also a JWT token. Everything normal so far.

But I've decided to change the client ID of the request by 1 and replay the request ...

BOOM! I've got a JSON response with the data user with the ID 1! 🤯

Then, my first question was: But what is the purpose of the JWT token in the request?

And my second question was: The most secure VPN?!

Anyway, before going further and alert the customer service about this vulnerability, I suddenly wanted to try other stuff and see how far I could go, got emails and devices information of other users is cool but be able to takeover any account is better!

Then I had the idea to use the forget password function, if I replay the request by changing the password and the client ID does it work? Well...

YES! What a surprise! The nice response from the API telling me that "my" password has been successfully updated. 🤣

I logged into the account to make sure that's it really worked.

Logged in!

Ok, now it's time to contact Ivacy's customer service and let them know about my overdraft while apologizing for having changed the password of another account.

At the moment, I think the vulnerability has been fixed, that's why I'm publishing this article now. Annnnd they also fixed my account problem!

For those who want to see "in direct live" I've uploaded a short PoC on my YouTube channel:

Anyway, next time I'll think twice before subscribing to a random website!

Cheers!