Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN (zdnet.com)

← Back to Stories (view on slashdot.org)

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN (zdnet.com)

Posted by msmash on Tuesday March 13, 2018 @06:40AM from the privacy-woes dept.

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

29 of 60 comments (clear)

Min score:

Reason:

Sort:

VPN recommendations by 110010001000 · 2018-03-13 06:47 · Score: 2

So what VPN provider do you people recommend?
1. Re:VPN recommendations by forkfail · 2018-03-13 06:58 · Score: 1
  
  Assume that nothing you write on 'web or a 'web connected computer is truly private. This makes some things easier.
  Also may lead to a diminished of the sense of privacy and freedom. This makes some things harder.
  
  --
  Check your premises.
2. Re:VPN recommendations by gnick · 2018-03-13 07:02 · Score: 1
  
  I use Private Internet Access and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.
  
  --
  He's getting rather old, but he's a good mouse.
3. Re:VPN recommendations by Anonymous Coward · 2018-03-13 07:06 · Score: 1
  
  So what VPN provider do you people recommend?
  What they do in the movies ... hack into someone else's host, run your VPN from there to another host you've hacked into ... a couple of layers of that stuff, and you're golden.
  The police show up at some poor unsuspecting grandma's house and shoot her.
  Profit!
4. Re:VPN recommendations by 110010001000 · 2018-03-13 07:06 · Score: 1
  
  The site seems to be down.
5. Re:VPN recommendations by ArhcAngel · 2018-03-13 07:20 · Score: 1
  
  Your browser did the super secret handshake wrong.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
6. Re:VPN recommendations by gnick · 2018-03-13 07:20 · Score: 1
  
  I'm not having an issue with it. Are you trying to access it from a connection that might filter out VPN providers? Pretty sure those were blocked at my last workplace. I'm assuming you're not in Iran or someplace weird where VPN providers are enemies of the state.
  
  --
  He's getting rather old, but he's a good mouse.
7. Re:VPN recommendations by 110010001000 · 2018-03-13 07:33 · Score: 1
  
  Yes that is probably it! Thanks.
8. Re:VPN recommendations by breeze95 · 2018-03-13 10:03 · Score: 1
  
  I use Private Internet Access and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.
  I concur with everything you wrote. Being using it for 2 years now and would enthusiastically recommend it.
9. Re:VPN recommendations by gnick · 2018-03-13 11:51 · Score: 1
  
  I may have a habit of backing unpopular opinions, but let it never be said that I don't check my links. Cheers.
  
  --
  He's getting rather old, but he's a good mouse.
10. Re: VPN recommendations by pnutjam · 2018-03-14 02:05 · Score: 1
  
  I think AirVPN is the best service oriented privacy VPN.
  
  --
  Cheap storage VM.
11. Re:VPN recommendations by Muntzsky · 2018-03-14 05:49 · Score: 1
  
  Use these ratings and decide for yourself: https://thatoneprivacysite.net...
  
  I've been using Mullvad for a while and I'm happy with it. Cost is 5 Euros/month with numerous payment options including cash. They have servers all around the world. Compatible with OpenVPN client (I use it on PC and iPhone).
  
  If you find the website above useful, throw them some dough.
Funky browser plugin "VPNs" by Burz · 2018-03-13 07:05 · Score: 5, Insightful

Use a real VPN client like openvpn with appropriate firewall rules instead.
1. Re:Funky browser plugin "VPNs" by pnutjam · 2018-03-14 02:07 · Score: 1
  
  Connect it to PIA so all your traffic routes through a vpn.
  
  --
  Cheap storage VM.
Re:Can't trust anyone by gnick · 2018-03-13 07:05 · Score: 1

You've GOTTA trust your VPN provider. What choice do you have? You could choose to trust your ISP, but they don't even hide the fact that they're mining you.

--
He's getting rather old, but he's a good mouse.
VPN is a suckers game by SuperKendall · 2018-03-13 07:26 · Score: 2, Informative

Opinion: All VPN's have CIA backdoors and are heavily monitored.
Change my mind.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:VPN is a suckers game by gnick · 2018-03-13 08:16 · Score: 1
  
  All VPN's have CIA backdoors and are heavily monitored.
  Even the ones not hosted in the US?
  
  --
  He's getting rather old, but he's a good mouse.
2. Re:VPN is a suckers game by AHuxley · 2018-03-13 10:00 · Score: 1
  
  Yes.
  "Revealed: how US and UK spy agencies defeat internet privacy and security"
  https://www.theguardian.com/wo...
  "... to have cracked the codes used by 15 major internet companies, and 300 VPNs."
  
  The NSA had XKEYSCORE and found problems with digital certificate.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:VPN is a suckers game by fluffernutter · 2018-03-13 13:24 · Score: 1
  
  I don't need to change your mind. I'd have to be pretty full on myself to think I would be doing anything the CIA would care about.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
4. Re:VPN is a suckers game by SuperKendall · 2018-03-13 15:13 · Score: 1
  
  ESPECIALLY the ones not hosted in the U.S.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
5. Re:VPN is a suckers game by SuperKendall · 2018-03-13 15:15 · Score: 1
  
  I'm not doing anything the CIA would care about either. But that doesn't matter as it's so easy to simply collect everything from everyone and run the result scanning for whatever.
  If you don't care, and many have no reason to care, that is fine. I'm just saying, the reasons for going to all the trouble of setting up a personal VPN for most people may well be kind of moot.
  For companies it still makes sense to me as an extra layer of defense around a few internal targets.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Can't trust anyone by gnick · 2018-03-13 09:33 · Score: 1

I think the rule-of-thumb is 6. Six layers of independent VPNs and then browse only with TOR. The small hit in latency is a small price to pay to keep the Man from connecting my Slashdot account with my Facebook account.

--
He's getting rather old, but he's a good mouse.
Roll your own by duke_cheetah2003 · 2018-03-13 09:42 · Score: 2

Seriously folks, you want a cheap secure VPN to do whatever you want with? Rent yourself a t2.micro instance on Amazon Web Services, setup OpenVPN and go crazy. It's not even exceptionally difficult. You control it all, the logs, the keys, the server, you decide what gets saved and what gets discarded.
The cost? About $9/mo for the instance runtime, plus your bandwidth (first 1GB is free, after that, 9 cents a GB, previously I'd posted you pay for bandwidth in both directions, but that's not true. You pay for data out, not data in.)
1. Re:Roll your own by krojdest · 2018-03-13 10:27 · Score: 1
  
  And how it will be safe? You'll provide credit card info to Amazon and Amazon keeps connection logs to your instance.
2. Re:Roll your own by pnutjam · 2018-03-14 02:39 · Score: 1
  
  I don't see why these posts keep getting so much traction, is it stupidity, malice, or ignorance?
  
  Point by point:
  1. ) VPS's are difficult to pay for discreetly, most VPN providers support methods of payment that are not linked back to you. Many will take gift cards from most stores at a slight premium, provide "gift-cards" to resellers, or allow cash payments (good luck).
  
  2.) Few VPS's provide unlimited bandwidth until you get to higher price plans. Most paid VPN's provide unlimited bandwidth. Data Center bandwidth is not expensive and their model calls for no logging, which would make monitoring bandwidth for billing difficult.
  
  3.) VPS providers log everything. They often provide a level of troubleshooting that requires them to maintain logs. Their business model requires logs. VPN providers do not log.
  ---a) The level of trust here is the same. If both are logging, both have your info. One is less likely to log, even if it's not a certainty. There is also anecdotal support to show many reputable VPN providers stand by their "no logging" guarantee.
  
  4.) A VPS gives you one egress point, this egress point is probably linked to you and if not, you are still the only one using it. A VPN provider usually provides many egress options. You can change yours at will. Your traffic is mixed with others and probably not logged. Even if it is logged, identifying you is more difficult and requires legal work.
  
  In conclusion, there are few reasons why a VPS with VPN is better privacy then a VPN from a VPN provider. The cost is more, the privacy is less, and the accessibility is lower when you use a VPS.
  Feel free to paste this with our without attribution next time you see these "just use a VPS" posts. If your making these posts, stop. We get it, your smart enough to setup a vpn server. Now show your smart enough to understand the different problems a VPN provider is handling.
  
  --
  Cheap storage VM.
3. Re:Roll your own by duke_cheetah2003 · 2018-03-14 03:59 · Score: 1
  
  My only goal is to obscure the content of my traffic. Just because I can. Being my VPN is running in bridging mode and spans a few physical locations, the traffic is difficult at best to analyze. I really don't care if "someone" knows I'm connecting to Slashdot's IP address from home, work or from AWS. What I care about is anyone peeking at what that traffic contains. I hide because I can. Between the VPN's ethernet frames being shuttled across, HTTPS and other random noise traffic, I think someone will have a hell of a time trying to pick apart the data and find anything useful. That's the goal of my VPN.
  Now, that aside, if you want more obscuring and more "not me" traffic, add a Tor node to your VPN server to generate more encrypted traffic. The point, in my view, is to generate enough noise (encrypted) that it's near impossible to make sense of what's happening. I'm not looking to mask where I'm coming from, or who I am, merely the content of the data being moved about.
  Analysis of traffic origin and destination is trivial to do. Even with a VPN. So I don't really care or bother about that, it's incredibly difficult to 100% mask origin/destination. So the next best choice is to just make the traffic itself so difficult to work with, it's not worth it. Hell, even Tor connection can be traced origindestination with out a heck of a lot of effort. You have to try very hard to mask origin/destination.
4. Re:Roll your own by pnutjam · 2018-03-15 02:27 · Score: 1
  
  Any VPN provider will not see HTTPS traffic. As long as you stay away from dedicated clients you don't have to worry about MITM.
  Your still using a more expensive and more difficult solution. It could make sense if you already have a VPS, but I know the bandwidth charges, for me, would quickly exceed the cost of a dedicated VPN provider, even a more expensive one.
  
  --
  Cheap storage VM.
What the heck are they building? by ripvlan · 2018-03-14 01:28 · Score: 1

These companies are in business to provide said services. You'd think they would have performed this kind of analysis themselves.
But apparently Testing the product is not all that important. Proper design - maybe. Or are they repackaging something and offering it up with more Marketing than Security. Sure security and animinity are a thin sheet.(where there's a will there's a way).
While I appreciate an independent review to keep everyone honest - you'd think the bugs would be harder to find or more obscure in nature.
I have to go - my virus scanner is out of date and requires updating.
Re:Don't use a VPN service's software! by pnutjam · 2018-03-14 02:10 · Score: 1

Most of these flaws are in browser extensions and such. A company provided desktop client isn't necessarily a bad thing. I use the PIA android app because it supports some features that would be a pain to manage manually.
I also make sure they use openVPN and use that on my home router.

--
Cheap storage VM.