Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming

A Virtual Private Network (VPN) is the need of the hour if you want to hide your identity on the Internet. But in a fresh discovery, a security researcher has found that users opting Hotspot Shield, which claims to have over 500 million users worldwide, are at risk as the VPN client is disclosing their sensitive information.

The vulnerability, listed as CVE-2018-6460 on the National Vulnerability Database in the US, lets attackers extract details about the system on which Hotspot Shield is running; moreover, the hackers can figure out whether the user is connected to the VPN and from which location courtesy the bug. AnchorFree, the company behind Hotspot Shield, has reportedly acknowledged the flaw to an extent and promised an update to protect its users.

Web application security researcher and penetration tester Paulos Yibelo, who spotted the Hotspot Shield bug, revealed the VPN client hosts sensitive JSONP endpoints on its native Web server that return various values and configuration data. All this could help a potential attacker to obtain sensitive information secretly. "User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address," reads the description of the vulnerability.

Folks at ZDNet were able to verify the presence of the vulnerability by using the proof-of-concept code developed by Yibelo. The proof-of-concept code calls from a JavaScript file hosted on Hotspot Shield's web server that is installed on the user's computer to return sensitive data, including configuration details of the machine.

While Yibelo claims that he was able to obtain real IP addresses of a Hotspot Shield user in some cases, ZDNet didn't find them during their tests. AnchorFree VP of Marketing Communications Tim Tsoriev also reportedly denied Yibelo's claim regarding the exposed IP addressed, and stated that the vulnerability neither leaks real IP addresses of users nor any personal information. That being said, Tsoriev, in a statement to ZDNet, did mention that the vulnerability "may expose some generic information" and could let attackers see the user's country. The executive also asserted that an update to fix the serious flaw will be released this week.

Interestingly, AnchorFree was aware of the vulnerability exists within Hotspot Shield since December, but it didn't respond to Yibelo's finding at that time. The VPN client claims to to encrypt user data, including passwords, financial transactions, and instant messages and can detect and block more than 3.5 million malicious, phishing, and spam sites. Moreover, it offers a US IP address to mask the actual IP address of its users to let them access the Web anonymously.