A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.
The flaw was discovered in Kaspersky VPN version 1.4.0.216 and is believed to affect previous iterations of the Android software.
According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.
Kaspersky VPN has more than 1 million downloads in Google Play.
“I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.
The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.
As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.
Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.
On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.
“Because your location and your IP address aren’t revealed through the VPN service, it’s easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.
Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”
Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.
“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.
Related: Kaspersky Lab Offers $100,000 for Critical Vulnerabilities
Related: Kaspersky Adds Password Manager to Bug Bounty Program

More from Ionut Arghire
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
- Strata Raises $26 Million for Multi-Cloud Identity Management Platform
- Riot Games Says Source Code Stolen in Ransomware Attack
- Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones
- Attacks Targeting Realtek SDK Vulnerability Ramping Up
Latest News
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
