A flaw in Hotspot Shield can expose VPN users, locations

The virtual private network says it provides a way to browse the web "anonymously and privately," but a security researcher has released code that could identify users' names and locations.

(Image: file photo)

A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy.

Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits.

But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected.

That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.

"By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located," said Paulos Yibelo, who found the bug. Combined with knowing the user's country, "you can narrow down a list of places where your victim is located," he said.

ZDNet was able to independently verify Yibelo's findings by using his proof-of-concept code to reveal a user's Wi-Fi network. We tested on several machines and different networks, all with the same result.

(Image: ZDNet)

VPNs are popular for activists or dissidents in parts of the world where internet access is restricted because of censorship, or heavily monitored by the state, as these services mask a user's IP addresses that can be used to pinpoint a person's real-world location.

Being able to identify a Hotspot Shield user in an authoritarian state could them at risk.

The vulnerability is found in the web server (hosted on port 895) that Hotspot Shield installs on the user's computer. The proof-of-concept code, just a few lines long, calls from a JavaScript file hosted on the web server to return several sensitive values and configuration data.

He told ZDNet that the code only took him a few seconds to write.

Although the proof-of-concept code only returned the values to the user, he said that the code could be easily adapted to collect and store the user's information, such as from a booby-trapped website.

Yibelo said he was able in limited circumstances to obtain real IP addresses of a user, but that the results were mixed. ZDNet did not see real IP addresses in our tests. For its part, AnchorFree strenuously denied that real IP addresses were exposed, contrary to Yibelo's claim.

On CNET

The Best VPN services for 2018

A virtual private network (VPN) enables users to send and receive data while remaining anonymous and secure online.

Read More

"We have reviewed and tested the researcher's report," said AnchorFree's Tim Tsoriev. "We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country."

"We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information," he added.

Yibelo made details of the vulnerability and proof-of-concept code public on Monday after not receiving a response from AnchorFree in December. Yibelo later submitted the bug through a bounty offered by Beyond Security, a cybersecurity firm, which also didn't hear back from the company.

It's not the first time Hotspot Shield has been embroiled in controversy.

Last year, a Washington DC-based privacy group accused the company in a filing with the Federal Trade Commission of violating its "anonymous browsing" promise, by intercepting and redirecting web traffic to partner websites, including advertising companies.

AnchorFree rebuffed the claims as "unfounded."

Update on Wednesday, 9:00pm ET: Yibelo confirmed to ZDNet that a new version of Hotspot Shield, released Tuesday, fixes the vulnerability.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All