The job of a VPN, or virtual private network, is to funnel a user's internet and browsing traffic through other servers, making it difficult for others to identify users and eavesdrop on their browsing habits. VPNs are popular in parts of the world where internet access is restricted or censored. Often, the traffic is encrypted so that internet providers, and even the VPN services themselves, have no access.
But the research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location.
In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services.
Another bug could have allowed an attacker to hijack and redirect web traffic to a proxy server, according to the research. An attacker could trick a user into clicking a link with malicious parameters, and all traffic will go to the attacker's server.
AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs.
The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.
A PureVPN spokesperson said in an email that the company had fixed the bugs a week earlier.
The report was authored by three researchers -- Paulos Yibelo, who also found a similar information leak in Hotspot Shield last month; another pseudonymous researcher goes by the handle File Descriptor, and the third who wants to keep their identity private.
Zenmate, some days later, returned a request for comment, disputing the initial report. The company rebutted with its own statement.