Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
VPN tests reveal privacy-leaking bugs
#1
Quote:Hotspot Shield patched; Zenmate and VPN Shield haven't ... yet?

A virtual private network recommendation site decided to call in the white hats and test three products for bugs, and the news wasn't good.

VPNMentor hired Paulos Yibelo, “File Descriptor” (a Cure53 researcher), and one anonymous researcher to put Pure VPN, Zenmate, and Hotspot Shield to the test. The researchers found IP leaks in all three.

Only Hotspot Shield responded to the test, according to VPNMentor co-founder Ariel Hochstadt.

Hotspot Shield's vulnerabilities were only present in its Chrome extension, Hochstadt wrote, but its desktop and mobile app are sound. The first allowed an attacker to hijack a user's traffic if they were redirected to a malicious site.

“It detects if the current URL has the query parameter act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter”, he wrote.

That bug seemed to be some internal test code that remained in the public version, and it's been fixed, as were a DNS leak bug, and another IP address leak.

The IP leak happened because the extension had a loose whitelist for “direct connection”, as you can see in the code chunk below.


Code:
let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '173.37.0.0', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT';

Any domain that includes localhost in the URL bypasses the proxy (for example, localhost.foo.bar.com), and “any URL with type=a1fproxyspeedtest will bypass the proxy”, Hochstadt explained.

For now, the details about bugs in Zenmate and VPN Shield are being kept under wraps because those vendors haven't responded to VPN Mentor. Both leaked user IPs.

“If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP”, the post said.

SOURCE
Reply
#2
Nordvpn confirmed they are not affected by this

[Image: CIokiAR.png]
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Report: No-Log VPNs Reveal Users’ Personal Data and Logs Sasha 0 1,144 04-24-2021 , 08:42 AM
Last Post: Sasha
  Popular Chrome extensions may be leaking your browsing habits mrtrout 0 2,292 04-04-2018 , 08:07 PM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)