Several privacy-busting bugs found in popular VPN services

(Image: file photo)

Three popular VPN services have been found to leak private user information, which if exploited could be used to identify users.

The report, published Tuesday, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN — all of which promise to provide privacy for their users.

The job of a VPN, or virtual private network, is to funnel a user’s internet and browsing traffic through other servers, making it difficult for others to identify users and eavesdrop on their browsing habits. VPNs are popular in parts of the world where internet access is restricted or censored. Often, the traffic is encrypted so that internet providers, and even the VPN services themselves, have no access.

But the research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user’s location.

In the case of Hotspot Shield, three separate bugs in how the company’s Chrome extension handles proxy auto-config scripts — used to direct traffic to the right places — leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services.

Another bug could have allowed an attacker to hijack and redirect web traffic to a proxy server, according to the research. An attacker could trick a user into clicking a link with malicious parameters, and all traffic will go to the attacker’s server.

AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs.

The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

A PureVPN spokesperson said in an email that the company had fixed the bugs a week earlier.

The report was authored by three researchers — Paulos Yibelo, who also found a similar information leak in Hotspot Shield last month; another pseudonymous researcher goes by the handle File Descriptor, and the third who wants to keep their identity private.

Zenmate did not respond to a request for comment.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *