Hotspot Shield VPN is Leaking Users Data and Location

A security researcher has found that one of the world’s largest Virtual Private Network (VPN) providers is leaking users private information. Hotspot Shield, which has been downloaded over half a billion times and has been in operation for over a decade, has a bug which can reveal what country a user is located in, as well as leak the name of the WiFi network they are using. The vulnerability in Hotspot Shield’s VPN service was discovered by Paulos Yibelo. Yibelo reported his findings to Beyond Security’s SecuriTeam Secure Disclosure program.

“By disclosing information such as WiFi name, an attacker can easily narrow down or pinpoint where the victim is located,” Paulos Yibelo told ZDNet. When an attacker knows what country a Hotspot Shield VPN user is from, they “can narrow down a list of places” their victim is from, Yibelo said. The vulnerability in Hotspot Shield’s VPN service was tested by ZDNet using a proof-of-concept code that Yibelo wrote. Using Yibelo’s code they were able to identify users WiFi networks, and the vulnerability kept working when tried from different computers and different network.

Yibelo was able to write his proof-of-concept code very quickly, and it is only a few lines long. The code exploits a vulnerability in the local web server installed by Hotspot Shield. Private information and configuration data are returned when the exploit calls a JavaScript file being hosted on the web server. The private information of Hotspot Shield VPN users could be captured and stored from an infected website. According to Yibelo, he was able to successfully obtain Hotspot Shield VPN users IP addresses, though he was only having mixed results and was not always able to successfully capture real IP addresses. In their own testing, ZDNet was unsuccessful in obtaining any real IP addresses of Hotspot Shield VPN users.

The developer of Hotspot Shield VPN, AnchorFree, Inc., is strongly denying that any user’s real IP addresses are being leaked through the vulnerability discovered by Paulos Yibelo. “We have reviewed and tested the researcher’s report. We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information,” AnchorFree’s Tim Tsoriev said in a statement.

After Yibelo discovered the vulnerability in Hotspot Shield VPN, he reported it to AnchorFree in December of last year but never received a response from the company. Yibelo then submitted the vulnerability to Beyond Security through their bug bounty program. Beyond Security also did not receive a response from AnchorFree. However, in February, AnchorFree finally addressed the issue with a new version of Hotspot Shield VPN which was recently released. The new version of Hotspot Shield VPN patches the vulnerability discovered by Yibelo.

Last year Hotspot Shield VPN was accused by the Center for Democracy & Technology of selling their customers private information. A formal complaint was filed with the United States Federal Trade Commission (FTC) in which they allege that Hotspot Shield was guilty of employing unfair and deceptive trade practices. AnchorFree claimed that they did not collect any personal information about Hotspot Shield VPN users. Hotspot Shield VPN comes in both a free version, as well as a paid “Elite Version” subscription. The Center for Democracy & Technology discovered that Hotspot Shield VPN was sharing information after analyzing the VPN using Carnegie Mellon University’s Mobile App Privacy Compliance automated system on the free version of the Hotspot Shield VPN service.