Ivacy  - The most secure VPN?

Few weeks ago, having finally got a real internet connection at home (no more pocket WiFi!), I started looking for a VPN provider to fully enjoy Netflix. In the same time, lucky as I am (or not), one of the blogs that's I often visit for my technology watch was advertising a VPN that I never heard before called Ivacy. The first thing that caught my attention was the price, Ivacy offers more than 200 VPN servers all over the world for only 0,9$ per month.

What a deal!?

After a visit on their website, everything seems to be serious, the web interface is pretty clear and well presented, the reviews of other websites seems to say only good things about it... Alright, I took the plunge and get the 5 years subscription offer.

Very exited to install Ivacy on my new and fresh router with the latest version of OpenWrt on it. But unfortunately for me, problems started here and nothing was working...

At first I thought it was a bad configuration of the router from my side. So to make sure about it I've downloaded the Ivacy Android App to check, but the result was the same, I couldn't connect at all... Well, I went back to my account on member area to search for more information but nothing.

My last solution, the Ivacy customer service. But before, Without really knowing why, I decided to open the web console to check what's going on between the application and the API, probably a habit of developer :)

And here is the first request that I found:

When we look this request closer we can notice immediately the client ID but also a JWT token. Everything normal so far.

But I've decided to change the client ID of the request by 1 and replay the request ...

BOOM! I've got a JSON response with the data user with the ID 1! 🤯

Then, my first question was: But what is the purpose of the JWT token in the request?

And my second question was: The most secure VPN?!

Anyway, before going further and alert the customer service about this vulnerability, I suddenly wanted to try other stuff and see how far I could go, got emails and devices information of other users is cool but be able to takeover any account is better!

Then I had the idea to use the forget password function, if I replay the request by changing the password and the client ID does it work? Well...

YES! What a surprise! The nice response from the API telling me that "my" password has been successfully updated. 🤣

I logged into the account to make sure that's it really worked.

Logged in!

Ok, now it's time to contact Ivacy's customer service and let them know about my overdraft while apologizing for having changed the password of another account.

At the moment, I think the vulnerability has been fixed, that's why I'm publishing this article now. Annnnd they also fixed my account problem!

For those who want to see "in direct live" I've uploaded a short PoC on my YouTube channel:

Anyway, next time I'll think twice before subscribing to a random website!