New report concludes that add-ons don’t provide enough security or privacy

Most VPN browser extensions are not as private or secure as users think they are.

That’s the takeaway from new research by ethical hacker File Descriptor, who claims that almost all VPN add-ons aren’t protecting computers’ privacy.

A report published this week examined some of the most popular VPN extensions available to download, including ZenMate, uVPN, and DotVPN.

It read: “After several pentests and personal researches on VPN extensions, I can conclude that almost all VPN extensions are vulnerable to different levels of IP leaks and DNS leaks.

“Ironically, although most of them are results of extensions’ misconfigurations, browsers are also responsible as there are a lot of pitfalls and misleading documentations on proxy configurations.”

File Descriptor wrote that, far from being as secure as a VPN desktop app, these extensions “should actually be called proxy extensions” as they don’t offer the same level of protection.

The researcher also noted that a number of VPN extensions were vulnerable to IP and DNS leaks through issues with misusing helper functions, whitelisting hostnames, unencrypted proxy protocols, and Chrome’s DNS prefetching.

More technical details of File Descriptor’s findings can be found in this blog post.

Ariel Hochstadt of VPNMentor echoed File Descriptor’s findings, telling The Daily Swig that extensions are “not safe as standalone software”.

He said: “Many times what VPN companies call ‘VPN extension’ is merely a limited proxy, and users should be concerned with that.”

Hochstadt added: “I would say that if you are looking for a quick, one-click solution to change your IP to watch blocked content, for example, you can use an extension. But if it is privacy that you are worried about, it is not suffice.”