Researchers found critical vulnerabilities in three popular VPN services that could leak users’ real IP addresses and other sensitive data.
VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address.
While some choose VPN services for online anonymity and data security, one major reason many people use VPN is to hide their real IP addresses to bypass online censorship and access websites that are blocked by their ISPs.
But what if when the VPN you thought is protecting your privacy is actually leaking your sensitive data and real location?
A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user’s privacy.
The team includes application security researcher Paulos Yibelo, an ethical hacker known by his alias ‘File Descriptor‘ and works for Cure53, and whereas, the identity of third one has not been revealed on demand.
PureVPN is the same company who lied to have a ‘no log’ policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.
After a series of privacy tests on the three VPN services, the team found that all three VPN services are leaking their users’ real IP addresses, which can be used to identify individual users and their actual location.
Concerning consequences for end users, VPN Mentor explains that the vulnerabilities could “allow governments, hostile organizations [sic], or individuals to identify the actual IP address of a user, even with the use of the VPNs.”
The issues in ZenMate and PureVPN have not been disclosed since they haven’t yet patched, while VPN Mentor says the issues discovered in ZenMate VPN were less severe than HotSpot Shield and PureVPN.
The team found three separate vulnerabilities in AnchorFree’s HotSpot Shield, which have been fixed by the company. Here’s the list:
- Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim’s web traffic to a malicious site.
- DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users’ original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
- Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user’s real location and the ISP. the issue occurred because the extension had a loose whitelist for “direct connection.” Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and ‘type=a1fproxyspeedtest’ in the URL bypass the proxy and leaks real IP address.
Here it must be noted that all the three vulnerabilities were in the HotSpot Shield’s free Chrome plug-in, not in the desktop or smartphone apps.
The researchers also reported similar vulnerabilities in the Chrome plugins of Zenmate and PureVPN, but for now, the details of the bugs are being kept under wraps since both the manufacturers have not yet fixed them.
Researchers believe that most other VPN services also suffer from similar issues.