Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits.
But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected.
That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.
"By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located," said Paulos Yibelo, who found the bug. Combined with knowing the user's country, "you can narrow down a list of places where your victim is located," he said.
ZDNet was able to independently verify Yibelo's findings by using his proof-of-concept code to reveal a user's Wi-Fi network. We tested on several machines and different networks, all with the same result.
VPNs are popular for activists or dissidents in parts of the world where internet access is restricted because of censorship, or heavily monitored by the state, as these services mask a user's IP addresses that can be used to pinpoint a person's real-world location.
Being able to identify a Hotspot Shield user in an authoritarian state could them at risk.
He told ZDNet that the code only took him a few seconds to write.
Although the proof-of-concept code only returned the values to the user, he said that the code could be easily adapted to collect and store the user's information, such as from a booby-trapped website.
Yibelo said he was able in limited circumstances to obtain real IP addresses of a user, but that the results were mixed. ZDNet did not see real IP addresses in our tests. For its part, AnchorFree strenuously denied that real IP addresses were exposed, contrary to Yibelo's claim.
"We have reviewed and tested the researcher's report," said AnchorFree's Tim Tsoriev. "We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country."
"We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information," he added.
Yibelo made details of the vulnerability and proof-of-concept code public on Monday after not receiving a response from AnchorFree in December. Yibelo later submitted the bug through a bounty offered by Beyond Security, a cybersecurity firm, which also didn't hear back from the company.
It's not the first time Hotspot Shield has been embroiled in controversy.
Last year, a Washington DC-based privacy group accused the company in a filing with the Federal Trade Commission of violating its "anonymous browsing" promise, by intercepting and redirecting web traffic to partner websites, including advertising companies.
AnchorFree rebuffed the claims as "unfounded."
Update on Wednesday, 9:00pm ET: Yibelo confirmed to ZDNet that a new version of Hotspot Shield, released Tuesday, fixes the vulnerability.