On Monday, February 22 around 6:00pm CST we became aware of an article published by ZDNet sharing information discovered by security researcher Phenomite. The article revealed a bug in VyprVPN servers which could be used as a vector for a DDoS attack.
Upon seeing the article, we immediately escalated the matter to our technical teams. We identified the bug and deployed a patch within an hour at approximately 7PM CST February 22nd.
As you know, at VyprVPN we take security very seriously. We are grateful to Phenomite for pointing out this bug, and appreciate efforts by researchers, users and good net citizens alike. We aim to build the best product possible, which is why we welcome feedback at all times.
What was the Effect of the DDoS Bug?
Once aware of the bug, we completed a thorough evaluation of our systems and issued a fix. We are confident that no customer information or data was impacted or compromised.
Furthermore, we verified that no infrastructure was breached by any third party and there was no unauthorized access to VyprVPN’s servers.
During our investigation we were also unable to identify any significant traffic exploiting the vulnerability; we saw minimal traffic through these ports. After a thorough analysis of our infrastructure, we showed peak traffic of only about 16 Mbps (versus the reported 22Gbps referenced in the original article).
The situation did not impact our entire service, but was isolated to a single protocol, Chameleon. Chameleon is an innovative protocol designed to defeat tough censorship and VPN blocking, and we continue to push the envelope as we design new technologies. Chameleon was recently updated to Version 3, and sometimes innovation comes with bumps along the way. Software development is certainly not always perfect. We have measures in place within our software development process to identify and mitigate potential security vulnerabilities or exploits. After this event we are revisiting these procedures and will, as always, aim to improve our testing of the new technologies we create.
What Happens Next?
Our mission is to provide people around the world with access to an open and free Internet. Part of this means creating tools to empower people to access this internet experience, and we remain committed to developing cutting edge tech solutions such as Chameleon. We will keep pushing forward and innovating.
Again, we welcome and encourage any feedback. So, if you’re a user, researcher or journalist, and want to report an issue with our service or ask a question, we would love to hear from you. Please always feel free to contact us at either of the following addresses for a quick response:
We are fully committed to upholding the strongest privacy and security standards, and to providing the best experience possible for our users. Thanks for choosing VyprVPN!