NordVPN Linux does not enforce 2FA even it's enabled in user settings

news.ycombinator.com
3 min read
fairly easy
My original post: https://www.reddit.com/r/linux/comments/pq9u2e/security_alert_nordvpn_linux_does_not_enforce_2fa/Security problem: Linux version of the NordVPN client does not enforce 2FA (Two factor authentication) even it is enabled in user settings.After installation there the Linux NordVPN does not EVER verify the 2FA code. This is what happens:memyself@mylinux ~> sudo su root@mylinux:/home/homeuser# nordvpn status Status: Disconnected root@mylinux:/home/homeuser# nordvpn login Please enter your login details. Email: homeuser@mailservice.org Password: ******* Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'. root@mylinux:/home/homeuser# nordvpn connect France Connecting to France #742 (fr742.nordvpn.com) You are connected to France #742 (fr742.nordvpn.com)! root@mylinux:/home/homeuser#That log is from Linux Mint 20.2 with all the latest patches, kernel and latest version of NordVPN Linux (3.10.0) (normal apt upgrade process done for everything). Username, hostname etc. have been just modified for privacy purposes.Also note note, this happened on the first run on that Linux computer so 2FA should've been enforced. But at in any point does the NordVPN client call for 2FA token. :(Now, a honest question:Who does not see this as a potential security hole here? It's the NordVPN server who should ensure that not ANY client can log in without correct 2FA token if it's enabled. Now a Linux client can any time login if correct credentials are known.It seems that the the 2FA is implemented on the client side completely. Which is not the correct way to do it. Fake spoofing NordVPN clients start to arrive which can bypass 2FA on any account.Windows and Mobile NordVPN clients seem to enforce it, but if the 2FA verification is done on client side then the whole meaning is nullified.Btw, this happened when I posted the above msg in r/nordvpnFeedbackSorry, this post has been removed by the moderators of r/nordvpn.Moderators remove posts from feeds for a variety of reasons, including keeping communities safe, civil, and true to their purpose.Mopping a serious problem under the carpet? Comments URL: https://news.ycombinator.com/item?id=28571417 Points: 1 # Comments: 0
My original post: https://www.reddit.com/r/linux/comments/pq9u2e/security_alert_nordvpn_linux_does_not_enforce_2fa/ Security problem: Linux version of the NordVPN client does not enforce 2FA (Two factor authentication) even it is enabled in user settings. After installation there the Linux NordVPN does not EVER verify the 2FA code. This is what happens: memyself@mylinux ~> sudo su root@mylinux:/home/homeuser# nordvpn status Status: Disconnected root@mylinux:/home/homeuser# nordvpn login Please enter your login details. Email: homeuser@mailservice.org Password: ******* Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'. root@mylinux:/home/homeuser# nordvpn connect France Connecting…
Read full article