Hotspot Shield VPN Exposes User Data and Location

A well-known cybersecurity expert has discovered that one of the world’s largest virtual private network (VPN) providers is leaking users’ personal information. Hotspot Shield, which has been downloaded over half a billion times and has operated for more than ten years, contains a vulnerability that can reveal the country a user is in, as well as the name of the Wi-Fi network they are using.

How Did This Happen?

This vulnerability was found by expert Paulos Yibelo, who reported it in his research for the “SecuriTeam Secure Disclosure program” (as part of Beyond Security). “Disclosing information such as the Wi-Fi network name can help an attacker easily narrow down their search area and determine the exact location of a potential victim,” Paulos told ZDNet.

The vulnerability in Hotspot Shield VPN was tested by ZDNet using proof-of-concept code written by Paulos. With this code, they were able to identify users’ Wi-Fi networks, and the vulnerability continued to work when the site’s representatives tried the same thing from different computers and networks. Yibelo was able to write his proof-of-concept code very quickly, and it consisted of just a few lines. The code exploits a vulnerability in the local web server installed by Hotspot Shield.

Personal data and configuration information can be easily compromised when the exploit triggers a JavaScript file hosted on the web server. Private information of Hotspot Shield VPN users can be easily captured and saved from an infected website.

According to Yibelo, he was able to successfully obtain the IP addresses of users of this VPN service, although the results were mixed and did not always reveal real IP addresses. In their own research, ZDNet also tried to extract IP addresses but were unsuccessful.

How Did the VPN Provider Respond?

The developers of Hotspot Shield VPN, AnchorFree Inc., categorically deny that real user IP addresses can be obtained through the discovered vulnerability.

“We reviewed and tested the researcher’s report. We found that this vulnerability does not lead to the leakage of a user’s real IP address or any other personal information, but may provide some general information, such as the user’s country. We are committed to our users’ security and will provide a client update this week that will completely remove the component capable of leaking even general information,” said Tim Tsoriev, a representative of AnchorFree.

Interestingly, when Paulos Yibelo discovered the vulnerability in Hotspot Shield VPN, he reported it to AnchorFree in December of the previous year but never received a response. The researcher then submitted the vulnerability to Beyond Security as part of their bug bounty program, but again received no reply from AnchorFree. (Note: A bug bounty is a program where researchers and programmers are offered rewards for finding vulnerabilities and bugs in software products.)

However, in February, AnchorFree finally addressed the issue with the release of a new version of Hotspot Shield VPN.

Is the Vulnerability Gone Now?

Last year, Hotspot Shield VPN was accused by the Center for Democracy & Technology of selling users’ personal data. An official complaint was filed with the U.S. Federal Trade Commission, alleging that Hotspot Shield engaged in unfair and deceptive trade practices. AnchorFree has always claimed that they did not collect any personal information from Hotspot Shield VPN users. There are even two different apps — a paid and a free version. So, what’s the difference?

The Center for Democracy & Technology found that Hotspot Shield VPN was leaking user information after analyzing the VPN with Carnegie Mellon University’s automated privacy compliance system for mobile apps, specifically in the free version of Hotspot Shield VPN. That’s how it is.

To determine which VPN is better, you can check out the VPN comparison table from DeepDotWeb or simply read an article about how Russia failed to ban VPNs, as it lists the most reliable VPNs.