• Home
  • Apps
  • Apps News
  • Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming

Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming

Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming
Highlights
  • Hotspot Shield found to have a serious vulnerability
  • The flaw could let attackers extract sensitive information
  • AnchorFree has promised an update to patch the vulnerability

A Virtual Private Network (VPN) is the need of the hour if you want to hide your identity on the Internet. But in a fresh discovery, a security researcher has found that users opting Hotspot Shield, which claims to have over 500 million users worldwide, are at risk as the VPN client is disclosing their sensitive information.

The vulnerability, listed as CVE-2018-6460 on the National Vulnerability Database in the US, lets attackers extract details about the system on which Hotspot Shield is running; moreover, the hackers can figure out whether the user is connected to the VPN and from which location courtesy the bug. AnchorFree, the company behind Hotspot Shield, has reportedly acknowledged the flaw to an extent and promised an update to protect its users.

Web application security researcher and penetration tester Paulos Yibelo, who spotted the Hotspot Shield bug, revealed the VPN client hosts sensitive JSONP endpoints on its native Web server that return various values and configuration data. All this could help a potential attacker to obtain sensitive information secretly. "User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address," reads the description of the vulnerability.

Folks at ZDNet were able to verify the presence of the vulnerability by using the proof-of-concept code developed by Yibelo. The proof-of-concept code calls from a JavaScript file hosted on Hotspot Shield's web server that is installed on the user's computer to return sensitive data, including configuration details of the machine.

While Yibelo claims that he was able to obtain real IP addresses of a Hotspot Shield user in some cases, ZDNet didn't find them during their tests. AnchorFree VP of Marketing Communications Tim Tsoriev also reportedly denied Yibelo's claim regarding the exposed IP addressed, and stated that the vulnerability neither leaks real IP addresses of users nor any personal information. That being said, Tsoriev, in a statement to ZDNet, did mention that the vulnerability "may expose some generic information" and could let attackers see the user's country. The executive also asserted that an update to fix the serious flaw will be released this week.

Interestingly, AnchorFree was aware of the vulnerability exists within Hotspot Shield since December, but it didn't respond to Yibelo's finding at that time. The VPN client claims to to encrypt user data, including passwords, financial transactions, and instant messages and can detect and block more than 3.5 million malicious, phishing, and spam sites. Moreover, it offers a US IP address to mask the actual IP address of its users to let them access the Web anonymously.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Hotspot Shield, AnchorFree, VPN, Apps
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Lenovo Recalls Some ThinkPad X1 Carbon Laptops Over Potential Fire Hazard
Shadow of the Colossus PS4 India Release Delayed
Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com