Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Security

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN (zdnet.com) 60

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN

Comments Filter:
  • by 110010001000 ( 697113 ) on Tuesday March 13, 2018 @02:47PM (#56254067) Homepage Journal
    So what VPN provider do you people recommend?
    • Assume that nothing you write on 'web or a 'web connected computer is truly private. This makes some things easier.

      Also may lead to a diminished of the sense of privacy and freedom. This makes some things harder.

    • by gnick ( 1211984 )

      I use Private Internet Access [privateint...access.com] and have zero complaints. Easy to use, plenty fast, and about $40/yr. Well worth it.

    • by Anonymous Coward

      So what VPN provider do you people recommend?

      What they do in the movies ... hack into someone else's host, run your VPN from there to another host you've hacked into ... a couple of layers of that stuff, and you're golden.

      The police show up at some poor unsuspecting grandma's house and shoot her.


    • Use these ratings and decide for yourself: https://thatoneprivacysite.net... [thatoneprivacysite.net]

      I've been using Mullvad for a while and I'm happy with it. Cost is 5 Euros/month with numerous payment options including cash. They have servers all around the world. Compatible with OpenVPN client (I use it on PC and iPhone).

      If you find the website above useful, throw them some dough.
  • by Burz ( 138833 ) on Tuesday March 13, 2018 @03:05PM (#56254209) Homepage Journal

    Use a real VPN client like openvpn with appropriate firewall rules instead.

  • by SuperKendall ( 25149 ) on Tuesday March 13, 2018 @03:26PM (#56254373)

    Opinion: All VPN's have CIA backdoors and are heavily monitored.

    Change my mind.

    • by gnick ( 1211984 )

      All VPN's have CIA backdoors and are heavily monitored.

      Even the ones not hosted in the US?

    • by AHuxley ( 892839 )
      "Revealed: how US and UK spy agencies defeat internet privacy and security"
      https://www.theguardian.com/wo... [theguardian.com]
      "... to have cracked the codes used by 15 major internet companies, and 300 VPNs."

      The NSA had XKEYSCORE and found problems with digital certificate.
    • I don't need to change your mind. I'd have to be pretty full on myself to think I would be doing anything the CIA would care about.
      • I'm not doing anything the CIA would care about either. But that doesn't matter as it's so easy to simply collect everything from everyone and run the result scanning for whatever.

        If you don't care, and many have no reason to care, that is fine. I'm just saying, the reasons for going to all the trouble of setting up a personal VPN for most people may well be kind of moot.

        For companies it still makes sense to me as an extra layer of defense around a few internal targets.

  • by duke_cheetah2003 ( 862933 ) on Tuesday March 13, 2018 @05:42PM (#56255161) Homepage

    Seriously folks, you want a cheap secure VPN to do whatever you want with? Rent yourself a t2.micro instance on Amazon Web Services, setup OpenVPN and go crazy. It's not even exceptionally difficult. You control it all, the logs, the keys, the server, you decide what gets saved and what gets discarded.

    The cost? About $9/mo for the instance runtime, plus your bandwidth (first 1GB is free, after that, 9 cents a GB, previously I'd posted you pay for bandwidth in both directions, but that's not true. You pay for data out, not data in.)

    • And how it will be safe? You'll provide credit card info to Amazon and Amazon keeps connection logs to your instance.

    • by pnutjam ( 523990 )
      I don't see why these posts keep getting so much traction, is it stupidity, malice, or ignorance?

      Point by point:
      1. ) VPS's are difficult to pay for discreetly, most VPN providers support methods of payment that are not linked back to you. Many will take gift cards from most stores at a slight premium, provide "gift-cards" to resellers, or allow cash payments (good luck).

      2.) Few VPS's provide unlimited bandwidth until you get to higher price plans. Most paid VPN's provide unlimited bandwidth. Data Cente
      • My only goal is to obscure the content of my traffic. Just because I can. Being my VPN is running in bridging mode and spans a few physical locations, the traffic is difficult at best to analyze. I really don't care if "someone" knows I'm connecting to Slashdot's IP address from home, work or from AWS. What I care about is anyone peeking at what that traffic contains. I hide because I can. Between the VPN's ethernet frames being shuttled across, HTTPS and other random noise traffic, I think someone wi

        • by pnutjam ( 523990 )
          Any VPN provider will not see HTTPS traffic. As long as you stay away from dedicated clients you don't have to worry about MITM.
          Your still using a more expensive and more difficult solution. It could make sense if you already have a VPS, but I know the bandwidth charges, for me, would quickly exceed the cost of a dedicated VPN provider, even a more expensive one.
  • These companies are in business to provide said services. You'd think they would have performed this kind of analysis themselves.

    But apparently Testing the product is not all that important. Proper design - maybe. Or are they repackaging something and offering it up with more Marketing than Security. Sure security and animinity are a thin sheet.(where there's a will there's a way).

    While I appreciate an independent review to keep everyone honest - you'd think the bugs would be harder to find or more obs

New systems generate new problems.