Usr6 Posted March 15, 2018 Report Posted March 15, 2018 We tested 3 popular VPNs: Hotspot Shield, PureVPN, and Zenmate with accredited researchers to find if the VPNs could leak data. While we hoped to find zero leaks, we regretfully found that all of them leak sensitive data. On the positive side, after we contacted the VPN vendors, we saw one that was fast to respond and release a patch within days. We are still waiting to hear from the other two VPN vendors, and have decided to publish the information in hope that they will hurry up and fix the underlying issues for the benefit of their users. Here’s a is a summary of our findings Hotspot Shield, PureVPN, and Zenmate VPN all suffer from IP leaks. The leaks allow governments, hostile organizations, or individuals to identify the actual IP address of a user, even with the use of the VPNs. Zenmate’s leak was somewhat minor compared to the two other VPNs. We believe that most other VPNs suffer from similar issues, so the fast response of Hotspot Shield is something we think is worth commending. We felt that they worked with our research team in a fast and serious manner and that they care for their users. They took our research as help for improvement rather than criticism. Since the vulnerabilities in PureVPN and Zenmate are still not fixed, we are only sharing information about the vulnerabilities that were found and patched in HotSpot Shield. We advise users of PureVPN and Zenmate to be wary of the leaks they may face and check with their VPN providers for an immediate fix. The research team VpnMentor hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. File Descriptor is a reputable, ethical hacker working for Cure53, the company hired by TunnelBear to identify and fix issues with their VPN applications, and one of the leading companies in security research. Paulos Yibelo, who also managed the team, is a reputable application security researcher. He has found vulnerabilities in popular VPNs and published them in the past. His work was mentioned in ZDNet, SlashDot, and other media sources. *As part of the agreement with our research team, vpnMentor cannot directly influence the research team nor the conducted research. Hotspot Shield’s Vulnerabilities These are the technical details of Hotspot Shield’s vulnerabilities, which have all been fixed by the company: All the issues are related to PAC scripts and were found in the Chrome plug-in. The mobile and desktop apps were not affected by these vulnerabilities. – 1 CVE-2018-7879: Hijack all traffic We observed the following PAC script used in Hotspot Shield Chome extension: ``` function FindProxyForURL(url, host) { if(url.indexOf('act=afProxyServerPing') != -1) { let parsed = url.match(/act=afProxyServerPing&server=([^&]+)/); if(parsed && parsed[1]) return 'https '+parsed[1]+':443; DIRECT;'; } ``` It detects if the current URL has the query parameter act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter. This is a result of the proxy hijack. While we believe this is for internal use, it fails to validate what host is making this “call”. Therefore any URL with the aforementioned parameters will have the traffic routed to the specified proxy. The problem with this is that a malicious adversary could simply ask a victim to visit a link with those parameters, and all traffic will go to an attacker’s proxy server. It would be worse if the connection is on HTTP. – 2 CVE-2018-7878 DNS leak We observed the following PAC script: ``` let ip = dnsResolve(host); ``` This means that dnsResolve will make a DNS request via the system DNS. This is essentially leaking DNS, as the proxy is only assigned after all those conditions. How do we prove it? A simple check in https://www.dnsleaktest.com/ reveals your DNS server. This example shows the leak we found with HotSpot Shield. Our leak that we found with HotSpot Shield on the Chrome extension Notice, any site can read the DNS server the user is using (hence, leaking your country and other vital information). This site is just a tool to help you check that. – 3 CVE-2018-7880 IP leak We observed the following PAC script: let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '173.37.0.0', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT'; What we found is that the whitelist for DIRECT connection is just too loose. Here are two examples we found: Any domain with localhost will bypass the proxy, e.g. localhost.foo.bar.com Any URL with type=a1fproxyspeedtest will bypass the proxy How do we prove it? We went to this site with the unpatched version of Hotspot Shield, and our actual IP was leaked. Our IP address was revealed when we tested it. This means that when Hotspot Shield sees the parameter a1fproxyspeedtest in any URL, it routes all traffic to the proxy hostname provided by the server parameter. Therefore, if a hacker redirects someone who is using HSS to https://example.com/?act=afProxyServerPing&server=mywebsite.com, that website will get a hit from the user’s actual IP address. We found similar vulnerabilities in Zenmate VPN and PureVPN. While Hotspot Shield already updated their service with a patch, we hope this will prompt the other VPNs to do the same. Additional research on ZenMate and PureVPN ZenMate’s webRTC leak A simple check was able to determine that ZenMate’s VPN leaked our location. PureVPN’s leak Visiting a website using the Firefox browser revealed our IP address with PureVPN. We will not go into detail about PureVPN’s and ZenMate’s vulnerabilities with the hope that they will soon fix them. While they are not exactly like HotSpot Shield’s vulnerabilities, they are similar. VPN’s responses After fixing the vulnerabilities, Hotspot Shield contacted vpnMentor with this message. “The researchers hired by vpnMentor did not find any vulnerabilities in the mobile or desktop versions of Hotspot Shield. The vulnerabilities they reported were present only in the free Chrome plug-in. Neither mobile nor desktop users of the Hotspot Shield app were affected by these vulnerabilities. We appreciate and commend vpnMentor’s initiative to improve the security of consumer VPN applications, and look forward to seeing more research from their side involving more VPN products in the near future.” What does this mean to a VPN user? VPNs are not as safe as many may think. The fact that we found leaks in all the VPNs that we tested is worrying. Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs. If you use Hotspot Shield, make sure you have updated your app. If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP. Sursa: https://www.vpnmentor.com/blog/vpn-leaks-found-3-major-vpns-3-tested/ 4 Quote