Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Kaspersky VPN Bug Leaked DNS Lookups

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

The flaw was discovered in Kaspersky VPN version and is believed to affect previous iterations of the Android software.

According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.

Kaspersky VPN has more than 1 million downloads in Google Play.

 “I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.

The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.

As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.

Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.

On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.

“Because your location and your IP address aren’t revealed through the VPN service, it’s easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.

Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”

Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.

“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.

Related: Kaspersky Lab Offers $100,000 for Critical Vulnerabilities

Related: Kaspersky Adds Password Manager to Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet