Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming

Advertisement
By Jagmeet Singh | Updated: 7 February 2018 11:30 IST
Highlights
  • Hotspot Shield found to have a serious vulnerability
  • The flaw could let attackers extract sensitive information
  • AnchorFree has promised an update to patch the vulnerability
Hotspot Shield VPN Can Leak Users' Information to Hackers, Fix Incoming

A Virtual Private Network (VPN) is the need of the hour if you want to hide your identity on the Internet. But in a fresh discovery, a security researcher has found that users opting Hotspot Shield, which claims to have over 500 million users worldwide, are at risk as the VPN client is disclosing their sensitive information.

The vulnerability, listed as CVE-2018-6460 on the National Vulnerability Database in the US, lets attackers extract details about the system on which Hotspot Shield is running; moreover, the hackers can figure out whether the user is connected to the VPN and from which location courtesy the bug. AnchorFree, the company behind Hotspot Shield, has reportedly acknowledged the flaw to an extent and promised an update to protect its users.

Web application security researcher and penetration tester Paulos Yibelo, who spotted the Hotspot Shield bug, revealed the VPN client hosts sensitive JSONP endpoints on its native Web server that return various values and configuration data. All this could help a potential attacker to obtain sensitive information secretly. "User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address," reads the description of the vulnerability.

Folks at ZDNet were able to verify the presence of the vulnerability by using the proof-of-concept code developed by Yibelo. The proof-of-concept code calls from a JavaScript file hosted on Hotspot Shield's web server that is installed on the user's computer to return sensitive data, including configuration details of the machine.

Advertisement

While Yibelo claims that he was able to obtain real IP addresses of a Hotspot Shield user in some cases, ZDNet didn't find them during their tests. AnchorFree VP of Marketing Communications Tim Tsoriev also reportedly denied Yibelo's claim regarding the exposed IP addressed, and stated that the vulnerability neither leaks real IP addresses of users nor any personal information. That being said, Tsoriev, in a statement to ZDNet, did mention that the vulnerability "may expose some generic information" and could let attackers see the user's country. The executive also asserted that an update to fix the serious flaw will be released this week.

Interestingly, AnchorFree was aware of the vulnerability exists within Hotspot Shield since December, but it didn't respond to Yibelo's finding at that time. The VPN client claims to to encrypt user data, including passwords, financial transactions, and instant messages and can detect and block more than 3.5 million malicious, phishing, and spam sites. Moreover, it offers a US IP address to mask the actual IP address of its users to let them access the Web anonymously.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Hotspot Shield, AnchorFree, VPN, Apps
Advertisement
Popular Mobile Brands
  1. Poco F7 Launch Date, Price in India, Design and Key Features Leaked Online
  2. Vivo X200 FE Global Launch Confirmed; Design Teased
  3. Vivo Y400 Pro 5G India Launch Date Confirmed; Design Revealed
  4. OnePlus Nord 5 Series, OnePlus Buds 4 to Launch in India on This Date
  5. Realme Narzo 80 Lite 5G Launched in India With 6,000mAh Battery: See Price
  6. Vivo T4 Lite 5G to Launch in India Soon; Battery Capacity Revealed
  7. Xiaomi Pad 7S Pro Launch Date, Key Specifications Revealed Ahead of Launch
  8. Oppo K13x 5G India Launch Date, Price Range and Key Features Revealed
  9. Oppo Reno 14 5G Series, Watch X2 Mini, Enco Buds 3, Pad SE to Launch Globally
  10. Motorola Edge 60 Fusion Review
  1. WhatsApp Reportedly Working on Ability to Scan Documents on Android Smartphones
  2. ElevenLabs Expands Eleven V3 Text-to-Speech Model With Support for 41 New Languages
  3. Vivo T4 Lite 5G India Launch Confirmed; Battery Capacity, Price Range Teased
  4. The Witcher 4 Will Target 60 FPS on Consoles, but Series S Will Be 'Extremely Challenging' Says CD Projekt Red
  5. Oppo Reno 14 5G Series Global Launch Teased Alongside Watch X2 Mini, Enco Buds 3 and Pad SE
  6. Microsoft Begins Testing AI Agents in Windows 11, Brings Option to Share Recall Snapshots in Europe
  7. watchOS 26 to Bring Control Center Customisation Options with User-Defined Toggles
  8. Tecno Pova 7 5G Series India Launch Teased; Confirmed to Be Available on Flipkart
  9. Oppo K13 Turbo Pro Key Specifications Leaked; Could Be Equipped With Snapdragon 8s Gen 4 SoC
  10. Lenovo Legion Pro 7i (2025) With Intel Core Ultra 9 HX CPU, Up to Nvidia GeForce RTX 5090 GPU Launched
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.