Browser extension flaw found to be leaking users’ DNS

Some of the world’s best-known VPN providers have been pushing out fixes to a recently disclosed browser extension vulnerability that could result in users’ DNS being leaked.

Earlier this month, VPN review site The Best VPN published a report that detailed the flaw, which involves Chrome’s DNS prefetching feature.

“We tested 15 VPNs and 10 of them were causing DNS leaks through their Chrome browser extensions,” said The Best VPN’s John Mason, who conducted the research in partnership with Hong Kong-based ethical hacker, File Descriptor.

The 10 affected providers included Betternet, DotVPN, Hola VPN, HotSpot Shield, Ivacy VPN, Opera VPN, PureVPN, TunnelBear, VPN Unlimited, and ZenMate VPN.

DNS giveaway

Chrome’s DNS prefetching feature attempts to resolve domain names before a user tries to follow a link. Once a domain name has been resolved (and if the user does navigate to that domain), there will be no effective delay due to DNS resolution time.

While DNS prefetching was created to reduce browser latency, the researchers found that several VPN browser extensions for Chrome could be forced to leak their users’ DNS through a specially crafted website.

“A malicious website can make a victim to reveal his DNS server’s IP address (usually set by the ISP),” File Descriptor told The Daily Swig. “The ISP and location of the user can then be inferred.

“Besides, anyone who can monitor the traffic – a man-in-the-middle attacker or the ISP – can view the sites the user is visiting.”

Patch update

According to Mason, HotSpot Shield, PureVPN, and TunnelBear all rolled out patches less than a week after the vulnerability report was published.

The Daily Swig can now confirm that Betternet, VPN Unlimited, and ZenMate have also addressed the issue.

A Betternet spokesperson said: “We have released updated versions of all our affected extensions as follows: HSS Chrome extension (version 3.3.8), HSS Firefox (version 3.3.8), and Betternet Chrome (version 5.1.3).”

“We can confirm that you should not experience any DNS leaks using our browser extension,” said Yuriy Zhernovoy of VPN Unlimited.

“We have patched this issue,” said Chris Hardaker of ZenMate VPN.

And Julia Szyndzielorz, senior PR manager for Opera VPN, said the company is “still investigating this issue”.

DotVPN, Hola VPN, and Ivacy VPN did not respond to our request for comment.

Privacy concerns

The Best VPN’s study comes less than a month after consumer insight blog VPN Mentor found that three randomly selected, popular VPN services were leaking sensitive data.

Working in partnership with File Descriptor – along with Paulos Yibelo and a third ethical hacker who wanted to keep his identity private – VPN Mentor said the browser extension flaw could allow governments, hostile organizations, or individuals to identify the actual IP address of a user.

“The fact that we found leaks in all the VPNs that we tested is worrying,” it said. “Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs.”