Are you privacy-savvy and relying on a VPN to keep your online business to yourself? If so, you may want to know that a VPN recommendation site decided to test 3 VPNs to see whether they were flawlessly performing their task. The results weren’t good at all – three out of the three services the website tested turned out to be leaking IP addresses of its users.
Hotspot Shield, PureVPN, Zenmate Tested for Privacy-Leaking Bugs
VPNMentor consulted with “accredited researchers” who tested three well-known VPNs – Hotspot Shield, PureVPN, and Zenmate. The idea was to check whether the mentioned services could leak data.
“While we hoped to find zero leaks, we regretfully found that all of them leak sensitive data,” VPNMentor said.
How did it all start? The website hired Paulos Yibelo from Cure53 known as File Descriptor, and an anonymous researcher to perform the test. And as already mentioned, the researchers found leaks in all three of the VPNs (Hotspot Shield, PureVPN, and Zenmate).
It is worth mentioning that one of the VPNs, Hotspot Shield, responded swiftly to the vulnerability disclosure:
On the positive side, after we contacted the VPN vendors, we saw one that was fast to respond and release a patch within days. We are still waiting to hear from the other two VPN vendors, and have decided to publish the information in hope that they will hurry up and fix the underlying issues for the benefit of their users.
The vulnerabilities in Hotspot Shield were only located in its Chrome extension, meaning that the desktop and mobile versions were intact. One of the bugs enabled an attack to hijack the user’s traffic via a malicious site.
More specifically, the bug detected if the current URL had the query parameter act=afProxyServerPing, and if it did, it routed all traffic to the proxy hostname provided by the server parameter. The bug appeared to be a leftover of an internal test code that remained in the public version, and as stated, it is already fixed. The other bugs were also fixed, including a DNS and an IP address leaks.
As for the IP leak, it could be triggered because the browser extension had an unconstrained whitelist for direct connection.
The other two VPNs that were tested still haven’t responded to VPNMentor, so their vulnerabilities are not detailed yet. However, it is known that both of the services leaked user IP addresses. Users of the two VPNs are advised to contact their support teams to demand for the bugs to be addressed as soon as possible.