Vulnerabilities allow hackers access to two popular VPNs
New research from VPNpro has found that two of the top 20 premium VPN apps have crucial vulnerabilities that can allow hackers to push fake updates and install malicious programs or steal user data.
The vulnerabilities in PrivateVPN and Betternet, can allow hackers to intercept communications and force the apps to download a fake update. The update may be automatically installed or the user prompted to install it.
This means a hacker could potentially install anything, allowing them to steal personal data, make bank payments, add the device to a botnet, install ransomware or mine cryptocurrency.
In order for hackers to carry out the attack, they'll need either to be on the same network as you -- usually, the hacker can do this by duping you into connecting to a fake Wi-Fi hotspot (such as 'Cofeeshop') rather than the shop's real Wi-Fi ('Coffeeshop'). Alternatively, the hacker would need to have access to your router in order to modify the DNS server used.
Once hackers have intercepted the communications they are able to convince the VPN software to download a fake update.
VPNpro informed both PrivateVPN and Betternet of the vulnerabilities in February, PrivateVPN rolled out a fix on March 26, while Betternet released their patched version on April 14. If you use either of these VPNs you should ensure you have the latest version installed.
You can read more about the problem on the VPNpro blog.