There are many reasons for turning to VPN software, but anonymity and hiding one's location are pretty high up the list. A newly-discovered flaw in the popular free VPN Hotspot Shield, however, means that it is possible to determine key pieces of information about users.
The VPN -- produced by AnchorFree -- is used by 500 million people around the world, and security researchers have discovered a vulnerability (CVE-2018-6460) that means it is technically possible to home in on the location of an individual using the service.
Security researcher Paulos Yibelo discovered the flaw recently, and failing to get a response from AnchorFree after notifying the company, he decided to go public. CVE-2018-6460 is yet to be assigned an official severity rating, but Yibelo says that his analysis of the app shows that it is "riddled with bugs that allow sensitive information disclosure and easy compromise." Included in this data is a "user's real IP address and other juicy info."
In a blog post, Yibelo explains that:
Hotspot Shield, when turned on, runs its own web server to communicate with its own VPN client. The server runs on a hardcoded host 127.0.0.1 and port 895. It hosts sensitive JSONP endpoints that return multiple interesting values and configuration data.
For example, http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.
The researcher put together proof-of-concept code which ZDNet has verified as revealing the country of origin and Wi-Fi network name of a user. He also reported the vulnerability to Beyond Security's SecuriTeam Secure Disclosure program which says it is looking into the issue.
Tim Tsoriev, VP of Marketing Communications at AnchroFree, issued a statement saying:
We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information.
He also expressed the belief that the vulnerability does not leak any personal information.