Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN (zdnet.com)

Posted by msmash on from the privacy-woes dept.

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

60 comments

  1. VPN recommendations by 110010001000 · · Score: 2

    So what VPN provider do you people recommend?

    1. Re: VPN recommendations by Anonymous Coward · · Score: 0

      Been a user with airvpn for a few years. Fast with good privacy and security

    2. Re:VPN recommendations by forkfail · · Score: 1

      Assume that nothing you write on 'web or a 'web connected computer is truly private. This makes some things easier.

      Also may lead to a diminished of the sense of privacy and freedom. This makes some things harder.

      --
      Check your premises.
    3. Re:VPN recommendations by Anonymous Coward · · Score: 0

      Private Internet Access. Good application; support; privacy; speed.

    4. Re:VPN recommendations by gnick · · Score: 1

      I use Private Internet Access and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

      --
      He's getting rather old, but he's a good mouse.
    5. Re:VPN recommendations by Anonymous Coward · · Score: 1

      So what VPN provider do you people recommend?

      What they do in the movies ... hack into someone else's host, run your VPN from there to another host you've hacked into ... a couple of layers of that stuff, and you're golden.

      The police show up at some poor unsuspecting grandma's house and shoot her.

      Profit!

    6. Re:VPN recommendations by 110010001000 · · Score: 1

      The site seems to be down.

    7. Re:VPN recommendations by Anonymous Coward · · Score: 0

      Inevitably all the VPN providers will be infected or busted or shut down in an effort for governments to "provide safety" to their citizens. As that happens VPN clients will scatter from those services like cockroaches from beneath a lifter rock.they will find another rock and the process will repeat.

      In the end no VPN service is truly safe. They only provide the illusion of safety. The rest is all hubris.

    8. Re:VPN recommendations by Anonymous Coward · · Score: 0

      ??? I can see it.

    9. Re:VPN recommendations by Anonymous Coward · · Score: 0

      That's called security through obscurity; a feature, not a bug!

    10. Re:VPN recommendations by Anonymous Coward · · Score: 0

      I just grabbed PIA. I'm not selling drugs or anything, just throwing a wrench into the innumerable logs and systems around me. Hoovering, meddling, blocking, whatever they're up to. If it's not my doing, it's not in my interest. Forget "nothing to hide", I have nothing to lose by reclaiming a bit of privacy.

      While vulnerabilities are important if you're, say, a whistleblower in an oppressive country, it's probably a nonissue for a casual case like me. But then the service's name is shit and they're not properly delivering on their claims.

      I can't formally vet PIA is "good" (though the sister posts are rolling in) but they claim to not store logs. No need to sign up for an account, various sub options. I pay in cash-bought gift cards. Yes, it's theoretically possible to associate card locations and even find purchasing footage, but again, casual user, not supersecretspyagent trying to haxor teh mainframez.

      Assuming most people fall into casual needs, PIA is "good enough".

    11. Re:VPN recommendations by ArhcAngel · · Score: 1

      Your browser did the super secret handshake wrong.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    12. Re:VPN recommendations by gnick · · Score: 1

      I'm not having an issue with it. Are you trying to access it from a connection that might filter out VPN providers? Pretty sure those were blocked at my last workplace. I'm assuming you're not in Iran or someplace weird where VPN providers are enemies of the state.

      --
      He's getting rather old, but he's a good mouse.
    13. Re:VPN recommendations by 110010001000 · · Score: 1

      Yes that is probably it! Thanks.

    14. Re:VPN recommendations by breeze95 · · Score: 1

      I use Private Internet Access and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

      I concur with everything you wrote. Being using it for 2 years now and would enthusiastically recommend it.

    15. Re:VPN recommendations by Anonymous Coward · · Score: 0

      I use Private Internet Access and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

      PIA has also does not keep logs of its user activities, as confirmed in their response to a subpoena:

      https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/

    16. Re:VPN recommendations by gnick · · Score: 1

      I may have a habit of backing unpopular opinions, but let it never be said that I don't check my links. Cheers.

      --
      He's getting rather old, but he's a good mouse.
    17. Re:VPN recommendations by Anonymous Coward · · Score: 0

      Link to the link:
      https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/

      - The Phantom Linker

    18. Re: VPN recommendations by Anonymous Coward · · Score: 0

      Private Internet Access is good, but make sure you're able to troubleshoot decently on your own since their customer service is terrible. If you can afford a higher price for premium service, try ExpressVPN.

    19. Re: VPN recommendations by Anonymous Coward · · Score: 0

      A reputable, commercial/paid VPN with a solid track record of defending users is good enough for 99% of users.

      Anyone who needs the highest levels of security should use Tor, but on the flip side, no one should use Tor who doesn't actually NEED it since it comes with its own downsides and problems. But most everyone should use a top tier commercial VPN.

    20. Re: VPN recommendations by pnutjam · · Score: 1

      I think AirVPN is the best service oriented privacy VPN.

      --
      Cheap storage VM.
    21. Re:VPN recommendations by Muntzsky · · Score: 1

      Use these ratings and decide for yourself: https://thatoneprivacysite.net...

      I've been using Mullvad for a while and I'm happy with it. Cost is 5 Euros/month with numerous payment options including cash. They have servers all around the world. Compatible with OpenVPN client (I use it on PC and iPhone).

      If you find the website above useful, throw them some dough.

  2. Can't trust anyone by Anonymous Coward · · Score: 0

    You know you just cannot trust anyone to provide what they say anymore. I guess they figure most people are too dumb to figure it out.

    1. Re:Can't trust anyone by gnick · · Score: 1

      You've GOTTA trust your VPN provider. What choice do you have? You could choose to trust your ISP, but they don't even hide the fact that they're mining you.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Can't trust anyone by Anonymous Coward · · Score: 0

      You've GOTTA trust your VPN provider.

      Nope. A vpn provider could be compromised. That is why you use a chain of them. While using one VPN, you use it to connect to a second VPN, which is used to connect to the third . . .

      If one of these vpn providers isn't compromised - or at the very least doesn't cooperate with the others, then you have privacy. So, you preferably uses a chain of VPNs hosted in different jurisdictions. Such as one American, one Russian, one Chinese, one German . . .

    3. Re:Can't trust anyone by gnick · · Score: 1

      I think the rule-of-thumb is 6. Six layers of independent VPNs and then browse only with TOR. The small hit in latency is a small price to pay to keep the Man from connecting my Slashdot account with my Facebook account.

      --
      He's getting rather old, but he's a good mouse.
  3. Funky browser plugin "VPNs" by Burz · · Score: 5, Insightful

    Use a real VPN client like openvpn with appropriate firewall rules instead.

    1. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      OK, so I set up an OpenVPN box at home behind my Comcast router. What's my next step to hide my IP? kthxbye!

    2. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      Rent a cheap VPS on a continent far away. Pay with cash in an envelope or monero or however you think yo can pay without divulging your identity.
      Use only TOR to access this VPS.

    3. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      No thanks. I'd rather install OpenVPN server at my house so I can trust it. How to I hide my IP?

    4. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      Cash in an envelope to a far away continent. Good thinking! Totally leet move Anon.

    5. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      You don't. To hide your IP you have to bounce through another box somewhere else.

    6. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      No, VPN makes it PRIVATE. That's what the "P" means. RTFM dude! You h4x0rz are morans.

    7. Re:Funky browser plugin "VPNs" by Anonymous Coward · · Score: 0

      Best choice is to choose a reputable VPN provider, the kind that don't log your metadata. Its not hard, check out zdnet or pcmag for reviews. Then go to the provider's Openvpn setup section, grab the config files and follow instructions.

      If you run your own service from your house, then your ISP will record your activity and even try to sell it to other parties for a profit.

    8. Re:Funky browser plugin "VPNs" by pnutjam · · Score: 1

      Connect it to PIA so all your traffic routes through a vpn.

      --
      Cheap storage VM.
  4. Don't use a VPN service's software! by Anonymous Coward · · Score: 0

    In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension ..

    ..noted that its mobile and desktop apps were not affected by the bugs...

    The article makes it sounds like these companies offer a VPN service, but weirdly, it also talks about them supplying software. No sane user will ever be doing both.

    Just a little reminder, or in case there's anyone here who has never used a computer for: one of the first things every single computer user eventually learns, is that you don't ever want to get hardware, software, or services from the same entity. Sometimes exceptions happen that you can't practically do anything about, but even so, those exceptions are always bad and long-term they almost always result in loss. (Most common example: handheld phone/pc comes with preloaded OS. Half the time, this kind of fuckup ends with retiring the hardware earlier than it's obsolete, simply because you can't upgrade the software.)

    In the context of VPNs, this means you shouldn't be getting any software from the VPN company. Just use standard software (e.g. OpenVPN), and only select services that work with the standard. The standard software will be great, so don't worry!

    Or if someone makes a VPN "app" that you like, you can make sure it's standard by using it with some other company's VPN service.

    Standards help keep everyone honest and competent, and you should always be using them at any well-understood interfaces. If you screw this up, there are lots of companies that basically make their whole living off exploiting your naivety. Their most common attack is lock-in, but really, there's lots more things that can (and sometimes do) go wrong.

    1. Re:Don't use a VPN service's software! by pnutjam · · Score: 1

      Most of these flaws are in browser extensions and such. A company provided desktop client isn't necessarily a bad thing. I use the PIA android app because it supports some features that would be a pain to manage manually.
      I also make sure they use openVPN and use that on my home router.

      --
      Cheap storage VM.
  5. VPN is a suckers game by SuperKendall · · Score: 2, Informative

    Opinion: All VPN's have CIA backdoors and are heavily monitored.

    Change my mind.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:VPN is a suckers game by Anonymous Coward · · Score: 0

      Don't call facts an opinion. Of course they all are.

    2. Re:VPN is a suckers game by gnick · · Score: 1

      All VPN's have CIA backdoors and are heavily monitored.

      Even the ones not hosted in the US?

      --
      He's getting rather old, but he's a good mouse.
    3. Re:VPN is a suckers game by Anonymous Coward · · Score: 0

      You're not trying to hide from the CIA, just a bunch of rent-seeking "intellectual property" predators.

    4. Re:VPN is a suckers game by AHuxley · · Score: 1

      Yes.
      "Revealed: how US and UK spy agencies defeat internet privacy and security"
      https://www.theguardian.com/wo...
      "... to have cracked the codes used by 15 major internet companies, and 300 VPNs."

      The NSA had XKEYSCORE and found problems with digital certificate.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:VPN is a suckers game by fluffernutter · · Score: 1

      I don't need to change your mind. I'd have to be pretty full on myself to think I would be doing anything the CIA would care about.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    6. Re:VPN is a suckers game by SuperKendall · · Score: 1

      ESPECIALLY the ones not hosted in the U.S.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    7. Re:VPN is a suckers game by SuperKendall · · Score: 1

      I'm not doing anything the CIA would care about either. But that doesn't matter as it's so easy to simply collect everything from everyone and run the result scanning for whatever.

      If you don't care, and many have no reason to care, that is fine. I'm just saying, the reasons for going to all the trouble of setting up a personal VPN for most people may well be kind of moot.

      For companies it still makes sense to me as an extra layer of defense around a few internal targets.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. First things freakin' first by Anonymous Coward · · Score: 0

    Those products need to be renamed to avoid false advertising -- not really their hallmark, so the names must go. PureVPN? shall now be known as WaterdownVPN, zenmate as zentimates, etc. I'm sure their marketdroids can be given one last duty to fulfill, before the doors close at the end of the business day.

  7. "Change My Mind" is a suckers game by Anonymous Coward · · Score: 0

    Change my mind.

    You have already closed up your thinking on this topic. We'd just be wasting our time.

  8. Security ain't easy by Anonymous Coward · · Score: 0

    There's holes in software, intentional or otherwise. There's holes in hardware that we can't do shit about. There's holes in services for various reasons ranging from incompetence to greed to coercion. It all depends ... do you want to conceal yourself more than someone else wants to find you?

    By the way, fuck the term "ethical hackers." Seriously, get the fuck out of here. You're not ethical, you do it for the money. Ethics are arbitrary anyway.

  9. Run your own by Anonymous Coward · · Score: 0

    Run your own.

    It really isn't that hard to setup an openvpn with AES256 encryption either at home or on a VPS. Having one at home allows secured access to your home network from anywhere. Just don't use DNS to make the connection, use the WAN IP.

    If you want to hide what you do from home, then get a VPS somewhere using a pre-paid credit card that isn't connected to your name and go to town. Probably want the VPS to be outside your country and probably NOT in a country friendly with yours.

    Once you know what you are doing, these things take 2 minutes to build from a fresh Linux install. Plus, you can wipe the logs (or disable them completely) if you don't want any evidence remaining.

    There are some reputable VPNs - they don't do business in mainland China or Russia, thanks to laws in those places that require the PKI keys to be turned over to the state. One has survived an FBI demand for data without providing any data. There is a catch, however. They have logs for active connections. Those logs are removed 3 minutes after the connection is closed. That means we don't want to leave connections up 24/7/365. I tend to use it for 3-5 hrs at a time, then drop.

    My home VPN lets me use nextcloud and other cloudy services in a self-hosted way so I don't have to trust or believe the massive cloudy services that most of you sheeple seem to trust. Baaaaah.

  10. Roll your own by duke_cheetah2003 · · Score: 2

    Seriously folks, you want a cheap secure VPN to do whatever you want with? Rent yourself a t2.micro instance on Amazon Web Services, setup OpenVPN and go crazy. It's not even exceptionally difficult. You control it all, the logs, the keys, the server, you decide what gets saved and what gets discarded.

    The cost? About $9/mo for the instance runtime, plus your bandwidth (first 1GB is free, after that, 9 cents a GB, previously I'd posted you pay for bandwidth in both directions, but that's not true. You pay for data out, not data in.)

    1. Re:Roll your own by Anonymous Coward · · Score: 0

      Literally everything on a VPS can be read by the host system and you'll be none the wiser.

    2. Re:Roll your own by krojdest · · Score: 1

      And how it will be safe? You'll provide credit card info to Amazon and Amazon keeps connection logs to your instance.

    3. Re:Roll your own by Anonymous Coward · · Score: 0

      No thanks! I VPN my whole internet connection and transfer around 300GB though it a month. A VPN setup at amazon would probably cost more per month than my internet connection alone. I'll stick with privateinterentaccess.com at a couple bucks a month and using the OpenVPN client in my router.

      And no I do not use it to hide piracy, or hide from the 3 letter agencies. I am sure they are tapped in at any VPN providers exit point. I do it because of the stories about internet providers sniffing your traffic to sell to ad agencies, net neutrality, and providers doing stupid shit like DNS redirection.

    4. Re:Roll your own by Anonymous Coward · · Score: 0

      Seriously folks, you want a cheap secure VPN to do whatever you want with? Rent yourself a t2.micro instance on Amazon Web Services, setup OpenVPN and go crazy. It's not even exceptionally difficult. You control it all, the logs, the keys, the server, you decide what gets saved and what gets discarded.

      The cost? About $9/mo for the instance runtime, plus your bandwidth (first 1GB is free, after that, 9 cents a GB, previously I'd posted you pay for bandwidth in both directions, but that's not true. You pay for data out, not data in.)

      So no privacy (Amazon has access to everything and your payment info), no support (those are unmanaged instances) plus you have to build everything, configure everything, secure everything and maintain everything yourself? Plus it costs more than nearly any other service? Sign me up!

    5. Re:Roll your own by pnutjam · · Score: 1

      I don't see why these posts keep getting so much traction, is it stupidity, malice, or ignorance?

      Point by point:
      1. ) VPS's are difficult to pay for discreetly, most VPN providers support methods of payment that are not linked back to you. Many will take gift cards from most stores at a slight premium, provide "gift-cards" to resellers, or allow cash payments (good luck).

      2.) Few VPS's provide unlimited bandwidth until you get to higher price plans. Most paid VPN's provide unlimited bandwidth. Data Center bandwidth is not expensive and their model calls for no logging, which would make monitoring bandwidth for billing difficult.

      3.) VPS providers log everything. They often provide a level of troubleshooting that requires them to maintain logs. Their business model requires logs. VPN providers do not log.
      ---a) The level of trust here is the same. If both are logging, both have your info. One is less likely to log, even if it's not a certainty. There is also anecdotal support to show many reputable VPN providers stand by their "no logging" guarantee.

      4.) A VPS gives you one egress point, this egress point is probably linked to you and if not, you are still the only one using it. A VPN provider usually provides many egress options. You can change yours at will. Your traffic is mixed with others and probably not logged. Even if it is logged, identifying you is more difficult and requires legal work.

      In conclusion, there are few reasons why a VPS with VPN is better privacy then a VPN from a VPN provider. The cost is more, the privacy is less, and the accessibility is lower when you use a VPS.
      Feel free to paste this with our without attribution next time you see these "just use a VPS" posts. If your making these posts, stop. We get it, your smart enough to setup a vpn server. Now show your smart enough to understand the different problems a VPN provider is handling.

      --
      Cheap storage VM.
    6. Re:Roll your own by duke_cheetah2003 · · Score: 1

      My only goal is to obscure the content of my traffic. Just because I can. Being my VPN is running in bridging mode and spans a few physical locations, the traffic is difficult at best to analyze. I really don't care if "someone" knows I'm connecting to Slashdot's IP address from home, work or from AWS. What I care about is anyone peeking at what that traffic contains. I hide because I can. Between the VPN's ethernet frames being shuttled across, HTTPS and other random noise traffic, I think someone will have a hell of a time trying to pick apart the data and find anything useful. That's the goal of my VPN.

      Now, that aside, if you want more obscuring and more "not me" traffic, add a Tor node to your VPN server to generate more encrypted traffic. The point, in my view, is to generate enough noise (encrypted) that it's near impossible to make sense of what's happening. I'm not looking to mask where I'm coming from, or who I am, merely the content of the data being moved about.

      Analysis of traffic origin and destination is trivial to do. Even with a VPN. So I don't really care or bother about that, it's incredibly difficult to 100% mask origin/destination. So the next best choice is to just make the traffic itself so difficult to work with, it's not worth it. Hell, even Tor connection can be traced origindestination with out a heck of a lot of effort. You have to try very hard to mask origin/destination.

    7. Re:Roll your own by pnutjam · · Score: 1

      Any VPN provider will not see HTTPS traffic. As long as you stay away from dedicated clients you don't have to worry about MITM.
      Your still using a more expensive and more difficult solution. It could make sense if you already have a VPS, but I know the bandwidth charges, for me, would quickly exceed the cost of a dedicated VPN provider, even a more expensive one.

      --
      Cheap storage VM.
  11. Never heart of 'em by Anonymous Coward · · Score: 0

    Never heard of 'em.

    Good thing we only use reliable big name VPNs including Cisco and Checkpoint.

  12. What the heck are they building? by ripvlan · · Score: 1

    These companies are in business to provide said services. You'd think they would have performed this kind of analysis themselves.

    But apparently Testing the product is not all that important. Proper design - maybe. Or are they repackaging something and offering it up with more Marketing than Security. Sure security and animinity are a thin sheet.(where there's a will there's a way).

    While I appreciate an independent review to keep everyone honest - you'd think the bugs would be harder to find or more obscure in nature.

    I have to go - my virus scanner is out of date and requires updating.