Kaspersky has fixed a bug in their Kaspersky VPN app for Android that leaked the computer's configured DNS server while using a VPN connection.
For a VPN to completely anonymize a user while they are using the Internet, it needs to not only hide the IP address, but also the computer's configured DNS servers. This way when a VPN user visits a site, all associated network traffic will flow through the assigned IP address and DNS servers from the VPN provider, rather than the local computer.
According to a security researcher Dhiraj Mishra, the bug in Kaspersky's product existed in Kaspersky VPN version 18.104.22.168 and earlier. When Mishra discovered DNS leak risk he created a report on Kaspersky's HackerOne page.
"Their was an issue in Kaspersky VPN <=v22.214.171.124 which leaks your DNS Address even after you're connected to any virtual server," Mishra told BleepingComputer via email. "I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same."
When using Kaspersky VPN and conducting a leak test through https://ipleak.net/, he discovered that in addition to the VPN connection's DNS servers, he was also seeing the DNS server configured on his local computer. You can see this in the image below, where the first server was the one configured on his computer and the other three were the ones configured in the Kaspersky VPN connection.
If the app was working as expected, the leak test would not have shown the DNS server configured on Mishra's computer.
Kaspersky has since fixed this issue in version 126.96.36.1996, which was released on June 20th 2018. Mishra has also confirmed that this update has resolved the DNS leak. So anyone who is using an older version of Kaspersky VPN - Secure Connection should immediately upgrade the app on their mobile device.
In conversations between Mishra and Kaspersky that were shared with BleepingComputer, Mishra had asked if Kaspersky would consider giving a bug bounty for the bug report. At first, Kaspersky had stated that they would look into a bug bounty, but ultimately decided to only increase Mishra's reputation on HackerOne.
"I was expecting some bounty, because i waited more than 5 months to get this resolved but no bounty was awarded by Kaspersky, they just increased my reputation on HackerOne platform." Mishra told BleepingComputer.
When BleepingComputer contacted Kaspersky for comment, they issued the following statements:
“Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.
The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe."