According to VPN Mentor, a privacy advocate firm which reviews virtual private networks (VPN), after an in-depth research, it has been discovered that three VPN service providers with millions of customers worldwide are leaking sensitive data such as users’ IP addresses – These VPNs include HotSpot Shield, PureVPN, and Zenmate.
What is a VPN used for?
The purpose of using a VPN depends on the situation but mostly people opt-in for VPNs to fight online censorship by accessing websites that are blocked by their ISPs while some chose to use VPN for anonymity and better privacy.
But what happens when the VPN you thought was protecting your privacy was actually posing a threat to it? You can be under government surveillance or malicious organizations, hackers can track your IP address and identify your ISP or on a business level, it can allow attackers to carry distributed denial-of-service (DDoS) attacks.
3 hackers exposed vulnerabilities in 3 top VPN vendors
According to VPN Mentor’s blog post, in order to find vulnerabilities in HotSpot Shield, PureVPN, and Zenmate VPN Mentor hired three ethical hackers who after testing concluded all three VPN have been leaking IP address of the user, even when a VPN is in use posing a massive privacy threat.
Out of three hackers, one has decided to keep their identity hidden while one going by the online handle of File Descriptor while the other Paulos Yibelo. Here it must be noted that the vulnerabilities exist in the Chrome browser plugins for all three VPNs and not in the desktop or smartphone apps.
HotSpot Shield VPN vulnerabilities
According to the findings, AnchorFree’s HotSpot Shield was filled with three vulnerabilities. The first vulnerability (CVE-2018-7879) allowed remote attackers to cause a reload of the affected system or to remotely execute code.
The second and third vulnerabilities (CVE-2018-7878 & CVE-2018-7880) leaked IP and DNS addresses which as discussed above poses a privacy threat to users since hackers can track user location and the ISP.
HotSpot Shield fixed the vulnerabilities
HotSpot Shield was quick to respond to VPN Mentor regarding the vulnerabilities and patched all vulnerabilities professionally and timely protecting millions of its users from what could be a serious threat if exploited.
“The fast response of Hotspot Shield is something we think is worth commending. We felt that they worked with our research team in a fast and serious manner and that they care for their users. They took our research as help for improvement rather than criticism,” said the co-founder of vpnMentor Mr. Ariel Hochstadt.
It is a good news for Hotspot Shield users as last year the VPN vendor was in the news for violating user privacy by intercepting web traffic, keeping activity logs and redirecting it to third-party websites especially advertising companies.
Vulnerabilities in PureVPN and ZenMate
In PureVPN and Zenmate, researchers also found that loopholes similar to Hotspot Shield may leak user sites and IP addresses. However, because they did not receive a response from both manufacturers, they did not specify the loopholes of both, but they appealed for two products. The user pays attention and confirms with the manufacturer.
HackRead has also contacted PureVPN and Zenmate. This article will be updated in case the vendors decided to reply.
Both PureVPN and Zenmate have replied to our emails.
According to PureVPN’s outreach manager Fahad Ali “The Firefox browser, by default, has an inherent limitation where it makes it almost impossible to identify and differentiate remote and local hosts. Our intention was to allow users the freedom to access all local domains conveniently while using our extension.”
“The tests that were carried out were not on PureVPN’s latest Firefox extension build since it has already been patched. The Firefox store clearly shows that our extension was last updated on March 07, 2018, and this update included the fix for the above-mentioned issue.”
ZenMate’s CTO Jörn Stampehl replied to our email and said that the company is aware of the situation.
“We are aware of that situation since Google introduced WebRTC in its Chrome browser and of the fact that there are possible privacy implications of WebRTC as they are generic to every VPN and not only affecting ZenMateusers. “
“We appreciate the work from vpnMentor in pointing out potential problems as the security and privacy of our users are very important to us and we put a lot of effort in to protect that. In fact, we are one of the very few commercial VPN companies operating under very strict German privacy laws and do not track, log or sell the data of our users, as opposed to many other companies in this field,” Jörn said
To solve the issue, ZenMate is urging its users on Chrome to install the extension ‘WebRTC Network Limiter.’ Moreover, the company has also published a support article addressing the issue in depth which can be accessed here.