WARNING: PIA programs are leaking your username and password- What’s the reality?
Today a user posted on Reddit forum claiming that the world and trusted popular VPN service Private Internet Access (PIA) is leaking user data due to a flaw in its implementation protocol. He claimed that there are 2 different processes handling whole login process and while these 2 processes are handling the app they keep username and password in unencrypted form as a text file. This file could easily be intercepted and stolen by the third party if they want to. But is it really true or there is something behind the scene here? The PIA explained it in details. You can find the expalantion below, first I would like to quote the post made on Reddit Forum‘s Privacy subreddit.
The PIA program for Linux and Windows have a program design flaw, which temporarily stores your username and password in an unencrypted file.
“It happens because there are 2 (main) processes one handling the GUI and one which handles the connection. As someone is connecting to the VPN the GUI process writes the username and password in plain text into a file called user_pass.txt in the installation folder. Then the second process is being spawned an reads from the file and deletes it. So if you block the file from being deleted you can read the username and password in plain text.”
Here’s a video demonstrating this vulnerability. The discoverer hasn’t tested this on Android or MacOS, but the design is most likely done similarly and could expose the same information.
This isn’t a major concern yet, but this needs to be fixed before it is abused. If you’re a PIA user, submit a complaint so they can fix this ASAP. They supposedly denied it as a vulnerability because “it doesn’t involve privilege escalation.”
The user also added the link to Private Internet Access’s contact details but in a sarcastic way.
Here’s a link for you to send them a support ticket: https://www.privateinternetaccess.com/pages/contact-us
In response to this post the PIA’s support team posted a clarification on its Tweeter Support handle:
So this comes directly from our development team:
I believe there’s been some confusion here which I’d like to clear up. This issue doesn’t allow people to access your machine, your traffic, or your credentials. Someone is only able to do this if they’re already able to run code and/or access files on your machine (and as noted by others in the thread, if your machine is compromised to this degree, one app is the least of your concerns).
While this is an implementation detail with our desktop app we’ll likely revisit in the future, the core limitation here is the lack of app-segregated storage on the PC platform (especially Windows). Installed apps are trusted by design to read any of the user’s files, including files from other apps. We don’t normally consider this a security vulnerability unless it somehow allows privilege escalation.
However, it’s always good to ensure that different passwords are used for different services. Since the passwords of PIA accounts are auto-generated, these should be different already.
Also, Senior Vice President of Customer Experience at Private Internet Access also gave an explanation on this story saying that the exploit is only effective if the hacker or unauthorized person has access to your PC before you face this problem (if you consider it a problem). In which case, the user has too many other things to worry about and PIA’s password should be less of a concern. But they will work on this design part in next revisions:
While this is an implementation detail we’ll likely revisit in the future, the core limitation here is the lack of app-segregated storage on the PC platform (especially Windows).
Installed apps are trusted by design to read any of the user’s files, including files from other apps. We don’t normally consider this a security vulnerability unless it somehow allows privilege escalation.
Whilst your username and password are used to authenticate on to the PIA service, they do not affect and are not connected in anyway to your encryption, thus ensuring that your traffic is secure.
We would also remind users that you can change your password in the Customer Control Panel and we always encourage using secure and unique passwords as illustrated in our helpdesk article here.
Just for clarity and transparency, I’m the Senior Vice President of Customer Expeience for Private Internet Access.
Props up to the customer Experience representative for quickly winding up the speculation with quick expalanation as a lot of people were panicking due to this story as people are upvoting this story on Reddit to the top of said subreddit.
If you have any query please do share in the comment section below!