Lately I am spending more time on bug bounties. Reading, trying, exercising in general.  As my brain switches to think more about it, I am becoming more and more curious about bugs and services and so on...  Thinking about it for last 3 days, I wanted to check my sites just from curiosity.

Sites rubyonrails.ba and javascript.ba also porezi.info. All of them are built with ruby on rails and some of them have a decent number of daily visits.
But nothing too special. However, I wanted to check sites a bit more in terms of security and very fast I saw something weird in bottom of sites source code. Some, 'style' html tag with bunch of domain names and links. Looking more into it, I saw that many of these sites are porn or nudity in general.


I was a bit surprised. First thoughts were "Oh they are hacked and somebody use my sites for spamming". Wondering what kind of damage, they produced and how long this is happening. First thing after that was to check all JS files I am referencing in my sites. Like maybe some of those free libraries doing this kind of stuff. 

In general, all of them use default libraries, like vanilla JS or jQuery, and some bootstrap/materialize and custom JS/CSS which I was wrote.
Looking more into sites code I saw that I have some reference onto googletagmanager.js, by checking my AdSense I see I never used it for real, so maybe this is a problem.

By removing it from my site, the problem is still not solved. So, in general I spent a few hours looking more into, what’s happening like checking my VPS where sites are hosted, and so on. I couldn’t see anything unusual.

In the end I got an idea to check my VPN like, what if my ISP provider is doing this? If I use a VPN, maybe the problem will disappear?
So, at that moment I saw I am already connected to some VPN, probably at some point in Singapore. Hmm, so let me disconnect and check what’s happening.
Suddenly I refresh those view-source pages and style blocks disappear. Bingo!

So, it’s about VPN!

Tested few times more, on different websites like google.com yahoo.com, twitte.com and my sites again, and in general in every case if we are disconnected from Nord VPN that style is not visible any more. Looking at links and domains which are appended to any page I browse, I see beside lot of ads domains; mostly porn sites domains are there. This is not right!


If I was seeing just ads domains and links probably, I wouldn’t react as I reacted. But there are porn and nudity links,
big number of porn links. And my paid service somehow appends them to every browsed page out there. This is definitely not right!
 
So, next step was to contact support NordVPN and in first replay they said that is a bug and that they will contact their dev team
But they are not sure when it will be fixed.

 So, my second email was:
"If its bug is it okay to submit bug bounty?"
 Then I am getting replay like it’s not bug
 "it’s a feature".
 

Then I was pretty surprised. Like a "feature" for adding porn links in my browser/browsing history or what else they do there?
 
After first replay they suggested me to try some other access points in Singapore with list of servers I tried with 2 also tried with one German server and problem stays on all of them. I also asked for permission to publish my finding. They mentioned once that I can submit a bug to their bug bounty program, but somehow, I was not sure that I should do that, because I don’t trust them. They will just find some excuse and do what they want.


In the last email, I mentioned to them that this is not okay with what they do and that I will contact more people from the IT security world just to hear what they think about this issue.

So, I did it. Contacted probably 5-6 persons and got response very fast from 3. All of them confirm that a VPN should not append anything into your browser. That’s definitely not acceptable.

Also, there is a big issue with promoting a porn domain on every web page opened from your PC or so.

Here is a sample video:
www.awesomescreenshot.com/video

Here is one more:
www.awesomescreenshot.com/video

This is what ChatGPT thinks about this kind of issues.
Below I am pasting links they appended when I open id.yahoo.com there were almost 500 links and around 23kb size additional html they append to every page we open on VPN connection.

NordVPN ads appended links:


get2nesoft1.ru/
lead1.pl/
//pubads.g.doubleclick.net/
delivery.porn.com/
go.astutelinks.com/
ad.kubiccomps.icu/
wittered-mainging.com/
www.profitablecpmgate.com/
promo-bc.com/
adswick.com/
//wagerprocuratorantiterrorist.com/
land.brazzersnetwork.com/
prf.hn/click/
affect3dnetwork.com/track/
s.zlink1.com/
v.investologic.co.uk/
allaptair.club/
pl.premium4kflix.website/
www.FriendlyDuck.com/
tour.mrskin.com/
pagead2.googlesyndication.com/
tracking.comfortclick.eu/
track.healthtrader.com/
tupitea.co/
porntubemate.com/
k2s.cc/pr/
trk.mdrtrck.com/
join.shemalepornstar.com/
a.adtng.com/
waisheph.com/
www.bebi.com
gohere.pl/
syndication.dynsrvtbg.com/
transfer.xe.com/signup/track/
mediaserver.gvcaffiliates.com/
datingbests.life/
natour.naughtyamerica.com/
affiliate.rusvpn.com/click.php?
banners.livepartners.com/
go.xtbaffiliates.com/
www.chngtrack.com/
black77854.com/
betahit.click/
frameworkdeserve.com/
affiliate.fastcomet.com/
galaxyroms.net/?scr=
trk.watchlivesports4k.club/
mypatriotsupply.com/
porngames.adult/?SID=
www.advcashpro.com/aff/
turtlebids.irauctions.com/
bestcond1tions.com/
bongacams10.com/track?
meet-to-fuck.com/
traffic.tc-clicks.com/
iactrivago.ampxdirect.com/
losingoldfry.com/
refpazkjixes.top/
iqbroker.com/
www.kingsoffetish.com/tour
uncensored.game/
traffic.bannerator.com/
ad.doubleclick.net/
mob1ledev1ces.com/
go.goaserv.com/
www.goldenfrog.com/vyprvpn
join.hardcoreshemalevideo.com/
join.dreamsexworld.com/
rapidgator.net/article/premium/
secure.bmtmicro.com/servlets/
join.rodneymoore.com/
www.bet365.com/
go.gldrdr.com/
t.mobtya.com/
.zlink9.com/
clk.right-wing-health.com/
maymooth-stopic.com/
clixtrac.com/
aweptjmp.com/
my-movie.club/
ads2.williamhill.com/
d2.zedo.com/
.engine.adglare.net/
ndt5.net/
axdsz.pro/
aaucwbe.com/
www.gfrevenge.com/landing/
trappist-1d.com/
reachtrgt.com/
www.brazzersnetwork.com/
adsrv4k.com/
//go.eabids.com/
shrugartisticelder.com
see.kmisln.com/
landing.brazzersplus.com/
deliver.ptgncdn.com/
lobimax.com/
go.affiliatexe.com/
go.etoro.com/
join.virtuallust3d.com/
go.xtbaffiliates.com/
funkydaters.com/
fleshlight.sjv.io/
go.alxbgo.com/
twinrdsyn.com/
www.clicktraceclick.com/
engine.blueistheneworanges.com/
fertilitycommand.com/
ad.admitad.com/
click.dtiserv2.com/
glersakr.com/
syndication.exoclick.com/
chaturbate.jjgirls.com/
iac.ampxdirect.com/
traffdaq.com/
t.hrtye.com/
thechleads.pro/
www.onwebcam.com/random
//thaudray.com/
www.passeura.com/
www.nudeidols.com/cams/
speedsupermarketdonut.com/
www.financeads.net/tc.php?
ad.atdmt.com/
mediaserver.entainpartners.com
lnkxt.bannerator.com/
meet-sexhere.com/
clicks.pipaffiliates.com/
www.hostg.xyz/
billing.purevpn.com/aff.php
go.zybrdr.com
go.xlviiirdr.com
track.themadtrcker.com/
globsads.com/
webroutetrk.com/
cpa.10kfreesilver.com/
go.markets.com/visit/?bta=
mmwebhandler.aff-online.com/
fakelay.com/
noqreport.com/
as.sexad.net/
spygasm.com/track?
zstacklife.com/ img
a.bestcontentoperation.top/
taghaugh.com/
mypillow.com/
www.mrskin.com/account/
.flndmyiove.net/
mystore.com/
go.xlirdr.com
cam4com.go2cloud.org/aff_c?
topoffers.com/
www.highperformancegate.com/
www.avantlink.com/click.php
paid.outbrain.com/network/
cpmspace.com/
click2cvs.com/
bs.serving-sys.com
go.goasrv.com/
www.bang.com/?aff=
//chrif8kdstie.com/
bc.vc/?r=
explore.findanswersnow.net/
enter.anabolic.com/track/
trackfin.asia/
awptjmp.com/
[wct.link/
adjoincomprise.com/
go.dmzjmp.com
www.oneclickroot.com/?tap_a=
infinitytrk.com/
odnxe.lncredlbiedate.com/
ak.hetaruwg.com/
go.admjmp.com/
ads.ad4game.com/
partners.fxoro.com/click.php?
claring-loccelkin.com/
paid.outbrain.com/network/
camfapr.com/landing/click/
join.michelle-austin.com/
wct.link/
adtrack1.club/
ovb.im/
bodelen.com/
go.nordvpn.net/aff
pcm.bannerator.com/
paid.outbrain.com/network/
go.cmtaffiliates.com/
albionsoftwares.com/
www.reimageplus.com/
incisivetrk.cvtr.io/click?
join.playboyplus.com/track/
go.trackitalltheway.com/
medleyads.com/
movie.download-file.org/
www.herbanomic.com/
www.adultempire.com/
clicks.totemcash.com/
tracking.gitads.io/
adnetwrk.com/
click.hoolig.app/
dianches-inchor.com/
financeads.net/tc.php?
adultgames.xxx/
go.xxxjmp.com
join.shemalesfromhell.com/
www.mypillow.com/
paid.outbrain.com/network/
//agacelebir.com/
a2.adform.net/
paid.outbrain.com/network/
m.do.co/c/
click.a-ads.com/
vo2.qrlsx.com/
engine.phn.doublepimp.com/
www.onclickmega.com/jump/
ads.cdn.live/
partners.etoro.com/
www.mrskin.com/tour
pongidsrunback.com/
chaturbate.com/in/?tour=
go.xxxijmp.com
track.afcpatrk.com/
.zlinkm.com/
paid.outbrain.com/network/
www.restoro.com/
mypillow.com/
offers.refchamp.com/
//voyeurhit.com/cs/
a-ads.com/
scurewall.co/
www.liquidfire.mobi/
.trust.zone
www.googleadservices.com/pagead/
avtub.click/assets/link.php
static.fleshlight.com/images/banners/
queersodadults.com/
tracking.trackcasino.co/
track.totalav.com/
ourgoldguy.com/contact/ img
get.surfshark.net/aff_c?
track.effiliation.com/servlet/
itubego.com/video-downloader/
www.jackery.com?aff=
track.interactivegf.com/
americafirstpolls.com/
traffserve.com/
paid.outbrain.com/network/
nutrientassumptionclaims.com/
www.oboom.com/ref/
www.iyalc.com/
hotcandyland.com/partner/
affiliates.thrixxx.com/
go.skinstrip.net
www.infowarsstore.com/
www.adskeeper.com
t.aslnk.link/
www.pingperfect.com/aff.php
prf.hn/click/
go.strpjmp.com/
pb-track.com/
cam4com.go2cloud.org/
www.purevpn.com/
dialling-abutory.com/
vlnk.me/
track.adform.net/
adserver.adreactor.com/
www.camsoda.com/enter.php?
//benoopto.com/
kingered-banctours.com/
go.hpyjmp.com
someperceptionparade.com/
zone.gotrackier.com/
ptapjmp.com/
www.targetingpartner.com/
affcpatrk.com/
ausoafab.net/
//syndication.dynsrvtbg.com/
www.reimageplus.com
go.xlvirdr.com
www.adsexse.com/x/
leg.xyz/?track=
moneynow.one/
join.virtualtaboo.com/track/
streamate.com/landing/click/
ttf.trmobc.com/
//rufflycouncil.com/
track.ultravpn.com/
paid.outbrain.com/network/
bongacams2.com/track?
loboclick.com
www.adpeepshosted.com/
paid.outbrain.com/network/
creacdn.top-convert.com/
static.fleshlight.com/images/
track.clickmoi.xyz/
a.bestcontentweb.top/
deloplen.com/
bestdatinghere.life/
wantopticalfreelance.com/
mylead.global/stl/
paid.outbrain.com/network/
tm-offers.gamingadult.com/
//go.xlviiirdr.com
t.hrtyj.com/
paid.outbrain.com/network/redir
look.utndln.com/
chaturbate.com/in/?track=
burpee.xyz/
tour.mrskin.com/
www.sugarinstant.com/?
go.cm-trk2.com/
cagothie.net/
pubads.g.doubleclick.net/
adclick.g.doubleclick.net/
join3.bannedsextapes.com
totlnkcl.com/
istlnkcl.com/
www.vfreecams.com/in/?track=
dfsdkkka.com/
go.247traffic.com/
fast-redirecting.com/
www.healthrangerstore.com/
www.brighteonstore.com/
join.girlsoutwest.com/
homemoviestube.com/
join.sexworld3d.com/track/
playuhd.host/
www.onlineusershielder.com/
a.medfoodhome.com/
www.sweetdeals.com/ img
www.fleshlightgirls.com/
go.julrdr.com/
stvkr.com/
gghf.mobi/
www.rabbits.webcam/?id=
r.kraken.com/
www.sheetmusicplus.com/
trk.moviesflix4k.xyz/
1free33style.com/
oackoubs.com/
goldforyourfuture.com/clk.trk
dishphysics.com/
a.bestcontentfood.top/
secure.vivid.com/track/
affiliate.glbtracker.com/
go.xxxiijmp.com
ads.betfair.com/redirect.aspx?
tragency-clesburg.icu/
click.payserve.com/
www.mypillow.com/
www.mypatriotsupply.com/
ad.yieldmanager.com/
paid.outbrain.com/network/
paid.outbrain.com/network/
go.tmrjmp.com
www.arthrozene.com/
affpa.top/
aj1070.online/
www.mypornstarcams.com/landing/
thaudray.com/
engine.trackingdesks.com/
torrentsafeguard.com/?aid=
deliver.tf2www.com/
www.masstortfinancing.com/
track.fiverr.com/visit/
as.conjectwatson.com/
track.afftck.com/
www.nutaku.net/signup/landing/
join.shemale.xxx/
www.sheetmusicplus.com/juicyads.in
www.privateinternetaccess.com/
ads.leovegas.com/redirect.aspx?
clickadilla.com/
trf.bannerator.com/
dooloust.net/
awecrptjmp.com/
www.highperformancecpmgate.com
adultfriendfinder.com/go/page/
join.trannies-fuck.com/
msecure117.com/
paid.outbrain.com/network/
go.247traffic.com/
routewebtk.com/
adultfriendfinder.com/go/page/
a.montangop.top/
antiagingbed.com/discount/
go.hpyrdr.com/
uncensored3d.com/
ads.planetwin365affiliate.com/
agacelebir.com/
googleads.g.doubleclick.net/pcs/
misslinkvocation.com/
t.grtyi.com/
earandmarketing.com/
azpresearch.club/
s.zlink2.com/
go.ebrokerserve.com/
//lkstrck2.com/
1startfiledownload1.com/
detachedbates.com/
ilovemyfreedoms.com/landing-
mk-cdn.net/
engine.gettopple.com/
tracking.avapartner.com/
www.adultdvdempire.com/?partner_id
 go.xlivrdr.com
rs-stripe.wsj.com/stripe/redirect
paid.outbrain.com/network/
ad.zanox.com/ppc/
meet-sex-here.com/
join.ts-dominopresley.com/
goldcometals.com/clk.trk
refpa4903566.top/
misspkl.com/
ismlks.com/
www.cloudways.com/en/?id
cipledecline.buzz/
www.sweetdeals.com
masstortfinancing.com img
//ngeoziadiyc4hi2e.com/
go.xlviirdr.com
ad.doubleclick.net/
torguard.net/aff.php
takeallsoft.ru/
shiftnetwork.infusionsoft.com/go/
t.adating.link/
landing1.brazzersnetwork.com
watchmygirlfriend.tv/
go.currency.com/
optimizedelite.com/
awentw.com/
go.cmrdr.com/
adserver.adreactor.com/
//lambingsyddir.com/
residenceseeingstanding.com/
www.mrskin.com/tour
intent.bingads.com/
go.fpmarkets.com/
go.xlrdr.com
go.4rabettraff.com/
bluedelivery.pro/
tc.tradetracker.net/
cpartner.bdswiss.com/
adf.ly/?id=
fastestvpn.com/lifetime-special-deal
5hjdbfjfd5.monster/
aff-ads.stickywilds.com/
cams.imagetwist.com/in/?track=
landing.brazzersnetwork.com/
serve.awmdelivery.com/
www.get-express-vpn.com/offer/
ads-for-free.com/click.php?
bngpt.com/
m.hsrve.com/
www.coiwqe.site/
trusted-click-host.com/
intenseaffiliates.com/redirect/
track.bruceads.com/
freecourseweb.com/
www.adultempire.com/unlimited/
www.mystore.com/
paid.outbrain.com/network/
www.get-express-vpn.com/offer/
www.awin1.com/cread.php?awinaffid=
geniusdexchange.com/
//apptjmp.com/
awbbjmp.com/
prf.hn/click/
reinstandpointdumbest.com/
click.linksynergy.com/fs-bin/
//coarsewary.com/
pityhostngco2.xyz/
trafficare.net/
bongacams.com/track?
jdrucker.com/gold
myusenet.xyz/
tc.tradetracker.net/
googleads.g.doubleclick.net/
track.wg-aff.com
syndication.optimizesrv.com/
images.purevpnaffiliates.com