Proton Technologies AG, a widely recognized provider of privacy-focused services, finds itself under scrutiny following the discovery of severe memory protection vulnerabilities in two of its flagship offerings Proton VPN and Proton Pass.
These security issues leave sensitive user data, including encrypted VPN traffic and credit card details, at risk of exploitation.
Memory Protection Flaws in Proton Pass
Proton Pass, a robust password manager trusted by millions, has been found to have critical flaws in its memory handling processes.
During testing, researchers from Venak Security identified that malicious actors could exploit these vulnerabilities to extract sensitive data, including stored credit card information.
This is achieved through the use of advanced point-of-sale (POS) malware, akin to strains such as Fin7 POS and TinyPOS, which scan unprotected memory spaces for high-value information.
The researchers demonstrated that Proton Pass does not implement adequate safeguards against memory-based attacks.
Attackers can easily bypass protections, gaining access to sensitive data stored in memory.
This vulnerability raises significant concerns, as compromised credit card information can be used for financial fraud or other forms of cybercrime.
Proton’s response to these findings has been met with skepticism. The company asserted that admin-level access would be required to exploit such memory vulnerabilities.
However, Venak Security’s proof-of-concept (POC) demonstrated otherwise, successfully extracting data using standard tools like Cheat Engine.
Vulnerability to MITM Attacks
Similar concerns extend to Proton VPN, a virtual private network (VPN) service that has long marketed itself as a shield against state-sponsored surveillance.
Researchers revealed that the service employs static private keys for its servers, a practice that leaves user traffic highly susceptible to man-in-the-middle (MITM) attacks.
Proton VPN relies on the popular WireGuard protocol for encryption, which depends on public and private keys for securing user data.
However, Proton’s implementation lacks adequate protection for these keys in memory.
During an evaluation, Venak Security successfully extracted private keys from memory during key generation and demonstrated the ability to intercept and decrypt encrypted traffic.
This breach exposes users to the possibility of real-time traffic monitoring by attackers.
In their examination, the researchers also observed that Proton VPN’s memory inadequacies allowed them to extract DNS traffic and monitor it from the kernel level, further compounding the risks for users.
The vulnerabilities in both Proton Pass and Proton VPN highlight a significant lapse in the company’s commitment to securing user privacy.
Memory protection is a critical component of cybersecurity, yet these flaws jeopardize the trust of their 500 million global users.
Proton Technologies now faces a critical juncture. Addressing these vulnerabilities promptly is essential to restoring user confidence and safeguarding the sensitive data that its services are designed to protect.
Until these issues are resolved, users are urged to exercise caution and consider alternative solutions for their data protection needs.
