Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Kaspersky VPN Bug Leaked DNS Lookups

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

The flaw was discovered in Kaspersky VPN version and is believed to affect previous iterations of the Android software.

According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.

Kaspersky VPN has more than 1 million downloads in Google Play.

 “I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.

The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.

As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.

Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.

On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.

“Because your location and your IP address aren’t revealed through the VPN service, it’s easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.

Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”

Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.

“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.

Related: Kaspersky Lab Offers $100,000 for Critical Vulnerabilities

Related: Kaspersky Adds Password Manager to Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...