White hats discover flaws in Hotspot Shield, PureVPN, and Zenmate

UPDATED Shifting concerns surrounding privacy are leading to a sharp increase in the use of virtual private networks (VPNs), as users look to mask their geographic location, access region-restricted websites, and shield their browsing activity from unauthorized third parties.

However, as previous reports have indicated, VPNs are not immune to vulnerabilities, leading many infosec experts to warn that users should never automatically assume they provide full anonymity.

These calls for consumers to exercise caution have been underlined this week, as a team of independent researchers found that three randomly selected, popular VPN services could leak sensitive data.

Consumer insight blog VPN Mentor hired a team of three external ethical hackers to find vulnerabilities in Hotspot Shield, PureVPN, and Zenmate – and they were successful in all three cases.

According to VPN Mentor, the flaws could allow governments, hostile organizations, or individuals to identify the actual IP address of a user, even with the use of the VPNs.

Out of the three vendors, Hotspot Shield and PureVPN have issued updates that address these vulnerabilities.

The now-patched Hotspot Shield flaw was found in the vendor’s free Chrome extension and is not present in the mobile and desktop apps.

PureVPN reached out to the The Daily Swig to state that it updated its Firefox extension to include a fix at the beginning of March.

“The Firefox browser, by default, has an inherent limitation where it makes it almost impossible to identify and differentiate remote and local hosts,” said the company’s Kelly Ben.

“Our intention was to allow users the freedom to access all local domains conveniently while using our extension.”

Ben added: “Our extension was last updated on March 7, and this update included the fix for the above mentioned issue.”

Full technical details surrounding the vulnerabilities have not yet been disclosed, although VPN Mentor issued a warning that similar flaws could also affect other vendors.

“The fact that we found leaks in all the VPNs that we tested is worrying,” it said. “Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs.”

VPN Mentor confirmed that the vulnerabilities were discovered by application security researcher Paulos Yibelo and Hong Kong-based File Descriptor. A third ethical hacker wanted to keep his identity private.

The research comes just days after the US Federal Trade Commission issued fresh advice to consumers who are looking to install VPN apps on their mobile devices.

“Some VPN apps use protocols that do not encrypt your traffic, or encrypt only some of your traffic,” the report read.

“If an app requests particularly sensitive permissions (reading text messages, for example), consider whether the permission makes sense given the app’s purpose and whether you trust the app developer with that access.”

This article has been updated to include the names of the researchers who discovered the vulnerabilities.