Popular VPN client app, OpenVPN Connect, patched a critical security flaw that could have exposed users’ private keys and decrypted their VPN traffic.
A recently disclosured vulnerability (CVE-2024-8474) in OpenVPN Connect left millions of users potentially exposed to cyberattacks. The flaw, present in versions before 3.5.0, allowed the app to log the configuration profile’s private key in clear text within the application log. This meant that a malicious actor with access to the device could potentially extract the key and decrypt the user’s VPN traffic, rendering the VPN protection useless.
OpenVPN Connect, having over 10 million downloads on the Google Play Store, is a popular client application used to establish secure connections to VPN servers. It’s crucial to remember that OpenVPN Connect itself doesn’t provide a VPN service; it requires users to connect to a separate VPN server.
While the latest version (3.5.1) primarily addresses an app stability issue (crashing after prolonged inactivity), users are strongly urged to update to this version to ensure they are protected from the key leakage vulnerability.
What should OpenVPN Connect users do?
- Update immediately: Download and install OpenVPN Connect version 3.5.1 or later from the Google Play Store and App Store.
- Check your logs: If you used a version prior to 3.5.0, review your application logs for any suspicious activity.
- Change your VPN credentials: As a precaution, consider changing your VPN username and password.
- Stay vigilant: Always be wary of potential security risks and keep your software updated.
