hi everyone i found a problem with mullvad and account generation this is just theory and a poc but this is opensource so i thought about this since mullvad account only have number why cant account just be brute forced and saved to a list of valid ones and it turns out it might me possible
remediation is hexadecimal accounts not just numbers
Generate Account Numbers Sequentially: Use a tool like seq in Linux or Python to generate numbers in the required 16-digit format.
Test Against Mullvad’s API: Use curl or a similar tool to send HTTP requests to the Mullvad endpoint to check if an account number is valid.
Save Valid Accounts: If the API response indicates the account is valid, save the number to a file.
Subject: Potential Vulnerability in Mullvad Account Generation
Hi everyone,
I’ve identified a potential security concern related to Mullvad account generation. While this is currently just a theoretical proof-of-concept (POC), I believe it’s important to discuss given Mullvad’s open-source nature.
The Issue:
Mullvad accounts are currently represented by a sequence of numbers. This numerical format raises the possibility of brute-force attacks, where attackers could systematically try different account numbers to identify valid ones.
Proposed Mitigation:
To enhance security, consider adopting a hexadecimal-based account system instead of a purely numerical one. Hexadecimal representation offers a significantly larger character set, making brute-force attacks exponentially more difficult.
Utilize tools like seqin Linux or Python to generate hexadecimal numbers within the desired length (e.g., 16 digits).
Test Against Mullvad’s API:
Employ curlor similar tools to send HTTP requests to Mullvad’s API endpoint to validate each generated hexadecimal number.
Save Valid Accounts:
Store valid hexadecimal account numbers in a secure location.
POC: validgen
The validgentool serves as a proof-of-concept demonstration of this potential vulnerability.
Note:
It’s crucial to emphasize that this is a hypothetical analysis and does not necessarily indicate an immediate security threat. However, proactive measures to strengthen account security are always advisable.
I encourage the Mullvad team to review this potential issue and consider implementing the suggested mitigation strategy."
We do know Mullvad has some mitigations against brute forcing but we don’t really know what they are (For obvious reasons)… I do agree with what others have said that there should be some kind of PIN, password or OTP though… While you make really good points, the issue is that one good lucky guess and someone else gets to use your account which seems to be the whole premise for what OP is trying to do… Lucky guesses.
I would much rather go with OTP than pin though because it adds more randomness to it. It would make any sort of bruteforcing fairly pointless because you would need to be extremely lucky and very fast too
well you could hook into the vpn app and try every combination using the vpn apps login and sending the traffic via proxys it would take alot of effort but yeah you can
the only rate limit is the ammount you can send and test and number of proxies since the total size of making the entire list of all the combinations and saving is 16 petabytes