VPN tests reveal privacy-leaking bugs
Hotspot Shield patched; Zenmate and VPN Shield haven't ... yet?
A virtual private network recommendation site decided to call in the white hats and test three products for bugs, and the news wasn't good.
VPNMentor hired Paulos Yibelo, “File Descriptor” (a Cure53 researcher), and one anonymous researcher to put Pure VPN, Zenmate, and Hotspot Shield to the test. The researchers found IP leaks in all three.
Only Hotspot Shield responded to the test, according to VPNMentor co-founder Ariel Hochstadt.
Hotspot Shield's vulnerabilities were only present in its Chrome extension, Hochstadt wrote, but its desktop and mobile app are sound. The first allowed an attacker to hijack a user's traffic if they were redirected to a malicious site.
“It detects if the current URL has the query parameter
act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter”, he wrote.
That bug seemed to be some internal test code that remained in the public version, and it's been fixed, as were a DNS leak bug, and another IP address leak.
The IP leak happened because the extension had a loose whitelist for “direct connection”, as you can see in the code chunk below.
let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '18.104.22.168', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT';
Any domain that includes
localhost in the URL bypasses the proxy (for example,
localhost.foo.bar.com), and “any URL with
type=a1fproxyspeedtest will bypass the proxy”, Hochstadt explained.
For now, the details about bugs in Zenmate and VPN Shield are being kept under wraps because those vendors haven't responded to VPN Mentor. Both leaked user IPs.
“If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP”, the post said. ®