Skip to main content

Warning – 3 Popular VPN Services Are Leaking Your IP Address

Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data.

VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address.

While some choose VPN services for online anonymity and data security, one major reason many people use VPN is to hide their real IP addresses to bypass online censorship and access websites that are blocked by their ISPs.

But what if when the VPN you thought is protecting your privacy is actually leaking your sensitive data and real location?

A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user's privacy.

The team includes application security researcher Paulos Yibelo, an ethical hacker known by his alias 'File Descriptor' and works for Cure53, and whereas, the identity of third one has not been revealed on demand.

PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.

After a series of privacy tests on the three VPN services, the team found that all three VPN services are leaking their users' real IP addresses, which can be used to identify individual users and their actual location.

Concerning consequences for end users, VPN Mentor explains that the vulnerabilities could "allow governments, hostile organizations [sic], or individuals to identify the actual IP address of a user, even with the use of the VPNs."

The issues in ZenMate and PureVPN have not been disclosed since they haven't yet patched, while VPN Mentor says the issues discovered in ZenMate VPN were less severe than HotSpot Shield and PureVPN.

The team found three separate vulnerabilities in AnchorFree's HotSpot Shield, which have been fixed by the company. Here's the list:
  • Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim's web traffic to a malicious site.
  • DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users' original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
  • Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user's real location and the ISP. the issue occurred because the extension had a loose whitelist for "direct connection." Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and 'type=a1fproxyspeedtest' in the URL bypass the proxy and leaks real IP address.
Here it must be noted that all the three vulnerabilities were in the HotSpot Shield's free Chrome plug-in, not in the desktop or smartphone apps.

The researchers also reported similar vulnerabilities in the Chrome plugins of Zenmate and PureVPN, but for now, the details of the bugs are being kept under wraps since both the manufacturers have not yet fixed them.

Researchers believe that most other VPN services also suffer from similar issues.

YOU MAY ALSO LIKE:
Labels:
Location: India

Comments

Post a Comment

Popular posts from this blog

Chrome Web Browser Will Now Use 10% More RAM With Spectre Fix

A new security feature named ‘Site Isolation’ has been introduced for Google Chrome 67 which would nullify the effects of speculative execution side-channel attacks like Spectre. To put things to the perspective, Spectre is one of the two fundamental design flaws in the  modern processors, which allow programs to get access to the data for which it is not authorized. Malicious data can exploit this flaw to steal your password and other personal information. What is Site Isolation? The new Site Isolation feature introduced in Google Chrome 67 brings about a fundamental change to Chrome’s architecture. Now, Chrome has changed how its multi-process architecture worked and different tabs used different render processes. According to the new architecture, Chrome limits each renderer process to a single site. By this separation of processes, Google aims to prevent direct memory reading across different processes to safeguard users’ data. According to G...
Post a Comment
Read more

Amazon, Reddit And Others Fail To Warn Us About Dumb Passwords

B elieve it or not, there is still a large number of people who use passwords such as “password,” “password123”, “[dog’s name]1” and others along the same lines. And in the era of sophisticated hacking, these passwords are not exactly “safe.” Before me, this is the first thing websites should inform you while setting up a password. But apparently, many big names are not doing enough to encourage non-terrible passwords, according to  the new research . Steve Furnell from the University of Plymouth has been keeping tabs on the websites like Amazon, Reddit, and Wikipedia for many years, carrying out similar assessments in 2007, 2011 and 2014. His 2018 survey examined practices of Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live, and Netflix. The study concluded that Amazon had the worst performance among all the names. It nearly accepted every kind of password of any length. On the other hand, Yahoo and Wikip...
Post a Comment
Read more

Is Microsoft Working On A New “Next-generation OS”? Should I Really Get Excited?

I n an announcement that’ll surely spark the interest of Windows enthusiasts, Synaptics hinted at a new “next-generation” operating system from Microsoft. This announcement took place during a conference, where Synaptics and AMD shared their plans to work together to secure the operating systems with a new kind of fingerprint sensor. Here’s what the press release from Synaptics actually said: Further, the new “biometric security OS” gets a mention again along with Windows Hello. The partnership with AMD will reportedly let Synaptics use FS7600 Match-in-Sensor technology, which is completely isolated from the rest of the system and operating system for extra security. It goes without saying that you need to take this news with an extra pinch of salt than the regular rumors that keep making rounds. The next-gen OS from Microsoft could be merely the next significant Windows 10 upgrade. In case you’re a person who loves to think more positively, ...
Post a Comment
Read more