Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

VPN recommendations

[110010001000]

So what VPN provider do you people recommend?

Re:

[forkfail]

Assume that nothing you write on 'web or a 'web connected computer is truly private. This makes some things easier.

Also may lead to a diminished of the sense of privacy and freedom. This makes some things harder.

Re:

[gnick]

I use Private Internet Access [privateint...access.com] and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

Re:

[110010001000]

The site seems to be down.

Re:

[ArhcAngel]

Your browser did the super secret handshake wrong.

Re:

[gnick]

I'm not having an issue with it. Are you trying to access it from a connection that might filter out VPN providers? Pretty sure those were blocked at my last workplace. I'm assuming you're not in Iran or someplace weird where VPN providers are enemies of the state.

Re:

[110010001000]

Yes that is probably it! Thanks.

Re:

[gnick]

I may have a habit of backing unpopular opinions, but let it never be said that I don't check my links. Cheers.

Re:

[breeze95]

I use Private Internet Access [privateint...access.com] and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

I concur with everything you wrote. Being using it for 2 years now and would enthusiastically recommend it.

Re:

[pnutjam]

I think AirVPN is the best service oriented privacy VPN.

Re:

[Anonymous Coward]

So what VPN provider do you people recommend?

What they do in the movies ... hack into someone else's host, run your VPN from there to another host you've hacked into ... a couple of layers of that stuff, and you're golden.

The police show up at some poor unsuspecting grandma's house and shoot her.

Profit!

Re:

[Muntzsky]

Use these ratings and decide for yourself: https://thatoneprivacysite.net... [thatoneprivacysite.net]

I've been using Mullvad for a while and I'm happy with it. Cost is 5 Euros/month with numerous payment options including cash. They have servers all around the world. Compatible with OpenVPN client (I use it on PC and iPhone).

If you find the website above useful, throw them some dough.

Re:

[gnick]

You've GOTTA trust your VPN provider. What choice do you have? You could choose to trust your ISP, but they don't even hide the fact that they're mining you.

Re:

[gnick]

I think the rule-of-thumb is 6. Six layers of independent VPNs and then browse only with TOR. The small hit in latency is a small price to pay to keep the Man from connecting my Slashdot account with my Facebook account.

Funky browser plugin "VPNs"

[Burz]

Use a real VPN client like openvpn with appropriate firewall rules instead.

Re:

[pnutjam]

Connect it to PIA so all your traffic routes through a vpn.

Re:

[pnutjam]

Most of these flaws are in browser extensions and such. A company provided desktop client isn't necessarily a bad thing. I use the PIA android app because it supports some features that would be a pain to manage manually.
I also make sure they use openVPN and use that on my home router.

VPN is a suckers game

[SuperKendall]

Opinion: All VPN's have CIA backdoors and are heavily monitored.

Change my mind.

Re:

[gnick]

All VPN's have CIA backdoors and are heavily monitored.

Even the ones not hosted in the US?

Re:

[SuperKendall]

ESPECIALLY the ones not hosted in the U.S.

Re:

[AHuxley]

Yes.
"Revealed: how US and UK spy agencies defeat internet privacy and security"
https://www.theguardian.com/wo... [theguardian.com]
"... to have cracked the codes used by 15 major internet companies, and 300 VPNs."

The NSA had XKEYSCORE and found problems with digital certificate.

Re:

[fluffernutter]

I don't need to change your mind. I'd have to be pretty full on myself to think I would be doing anything the CIA would care about.

Re:

[SuperKendall]

I'm not doing anything the CIA would care about either. But that doesn't matter as it's so easy to simply collect everything from everyone and run the result scanning for whatever.

If you don't care, and many have no reason to care, that is fine. I'm just saying, the reasons for going to all the trouble of setting up a personal VPN for most people may well be kind of moot.

For companies it still makes sense to me as an extra layer of defense around a few internal targets.

Roll your own

[duke_cheetah2003]

Seriously folks, you want a cheap secure VPN to do whatever you want with? Rent yourself a t2.micro instance on Amazon Web Services, setup OpenVPN and go crazy. It's not even exceptionally difficult. You control it all, the logs, the keys, the server, you decide what gets saved and what gets discarded.

The cost? About $9/mo for the instance runtime, plus your bandwidth (first 1GB is free, after that, 9 cents a GB, previously I'd posted you pay for bandwidth in both directions, but that's not true. You pay for data out, not data in.)

Re:

[krojdest]

And how it will be safe? You'll provide credit card info to Amazon and Amazon keeps connection logs to your instance.

Re:

[pnutjam]

I don't see why these posts keep getting so much traction, is it stupidity, malice, or ignorance?

Point by point:
1. ) VPS's are difficult to pay for discreetly, most VPN providers support methods of payment that are not linked back to you. Many will take gift cards from most stores at a slight premium, provide "gift-cards" to resellers, or allow cash payments (good luck).

2.) Few VPS's provide unlimited bandwidth until you get to higher price plans. Most paid VPN's provide unlimited bandwidth. Data Cente

Re:

[duke_cheetah2003]

My only goal is to obscure the content of my traffic. Just because I can. Being my VPN is running in bridging mode and spans a few physical locations, the traffic is difficult at best to analyze. I really don't care if "someone" knows I'm connecting to Slashdot's IP address from home, work or from AWS. What I care about is anyone peeking at what that traffic contains. I hide because I can. Between the VPN's ethernet frames being shuttled across, HTTPS and other random noise traffic, I think someone wi

Re:

[pnutjam]

Any VPN provider will not see HTTPS traffic. As long as you stay away from dedicated clients you don't have to worry about MITM.
Your still using a more expensive and more difficult solution. It could make sense if you already have a VPS, but I know the bandwidth charges, for me, would quickly exceed the cost of a dedicated VPN provider, even a more expensive one.

What the heck are they building?

[ripvlan]

These companies are in business to provide said services. You'd think they would have performed this kind of analysis themselves.

But apparently Testing the product is not all that important. Proper design - maybe. Or are they repackaging something and offering it up with more Marketing than Security. Sure security and animinity are a thin sheet.(where there's a will there's a way).

While I appreciate an independent review to keep everyone honest - you'd think the bugs would be harder to find or more obs