A vulnerability in the popular HotSpot Shield VPN client, which is promoted as being able to hide users’ identities, could expose their IP addresses and “other juicy info,” according to a security researcher.
Paulos Yibelo, a researcher who has collected on a number of bug bounties in the past, said in a blog post that HotSpot Shield turns on a web server in order to communicate with the VPN client.
“The server runs on a hardcoded host 127.0.0.1 and port 895,” he wrote. “It hosts sensitive JSONP endpoints that return multiple interesting values and configuration data.”
“[F]or example, http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information,” he added. “There are other multiple endpoints that return sensitive data including configuration details.” The bug has been logged as CVE-2018-6460.
While an argument can be made that attacks via this vulnerability would be limited to LANs since the server is installed on a user’s device, the technique known as DNS rebinding could be employed to attack via WANs, Yibelo added.
“In a DNS rebinding, any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost or 127.0.0.1 (making it accessible from the WAN),” he wrote.
In a Feb. 7 blog post, AnchorFree said that while it agreed that a user’s wi-fi network name could have been leaked due to the vulnerability, it did not not expose any personally identifiable information. “A fix to the Wi-Fi network name vulnerability was released on February 6, and Hotspot Shield users remain secure,” the company said. “The vulnerability is no longer there.”
After Yibelo alerted the company to his finding on Dec. 20, AnchorFree’s security team began testing it for proof of concept, the post adds.
“After a thorough evaluation, our team was not able to find any proof that this bug could lead to leaks of personally identifiable information,” it states. “We also could not create any scenario in which the provided proof of concept would lead to deanonymizing our users.”
The vulnerability impacted only Windows users, the post adds.
HotSpot Shield’s profile rose sharply during the Arab Spring protests, as citizens used it to circumvent government censorship and shield their online identities. The company said last year it had reached 500 million installs. Developed by AnchorFree, it operates on a freemium business model, with paid versions offering more advanced features and the elimination of ads.
In August, the Center for Democracy and Technology filed a complaint with the Federal Trade Commission, alleging deceptive trade practices on the part of HotSpot Shield over its logging activities, use of third-party tracking libraries for advertising purpose, and data-sharing with partners.
AnchorFree denied any wrongdoing, saying it does not engage in any data-collection practices that allow individual users to be identified. In November, the company released a transparency report that reiterated its stance on user privacy and detailed the number of requests it had received from governments for information.
Meanwhile, other VPN vulnerabilities–one extremely serious in nature–have emerged of late. Last month, Cisco patched a vulnerability in its Adaptive Security Appliance software that received a CVSS base score of 10.0, the highest possible. Days later, the vendor reissued the patch after discovering more attack vectors.
In December, researchers found that TunnelBear, another highly popular VPN app, was vulnerable to man-in-the-middle attacks via a weakness in how it implemented certificate pinning and verification when creating a Transport Layer Security (TLS) connection.
This post was updated on 2/8/18 at 9:58 a.m. to include comments from AnchorFree.