Using a VPN is the need of the hour if you are living in a world where every online activity is being tracked, monitored and access is controlled by governments and corporations. But what happens when the VPN itself is leaking the data it is supposed to be protecting?
Well, that is the question staring at us today with the news of a serious vulnerability in HotSpot Shield VPN which is used by more than 500 million people around the world.
The vulnerability which is listed as CVE-2018-6460 on the National Vulnerability Database in the US, allows hackers to collect information about the user’s systems on which the HotSpot Shield VPN is running. The bug also allows hackers to find when the user is connecting to the VPN and even reveals the location of the user which completely defeats the purpose of using a VPN.
The bug was first found by the web application security researcher and penetration tester Paulos Yibelo, who in a blog post detailed the characteristics of the vulnerability. In the blog post, Paulos Yibelo wrote that,
“While analyzing this application, I noticed its riddled with bugs that allow sensitive information disclosure and easy compromise.”
Further, he takes a deep dive into the technical aspect of the bug:
“Hotspot Shield when turned on runs its own web server to communicate with its own VPN client. The server runs on a hardcoded host 127.0.0.1 and port 895. It hosts sensitive JSONP endpoints that return multiple interesting values and configuration data. “
According to Paulos, this generates a JSON response with details of the user, the VPN service being used, the real IP address and other system information.
AnchorFree which is the parent company of HotSpot Shield VPN responded by saying that the vulnerability doesn’t reveal any IP information. However, in a statement given to ZDNet by Tim Tsoriev, VP of AnchorFree, accepted that the vulnerability does exist and may expose some generic information.
It still unclear as to how deeply this vulnerability affects the current users of HotSpot Shield VPN, that said until the company releases a fix, it would be better if users stop using the VPN for security purposes.