A vulnerability in the popular HotSpot Shield VPN client, which is promoted as being able to hide users’ identities, could expose their IP addresses and “other juicy info,” according to a security researcher.
“The server runs on a hardcoded host 127.0.0.1 and port 895,” he wrote. “It hosts sensitive JSONP endpoints that return multiple interesting values and configuration data.”
“[F]or example, http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information,” he added. “There are other multiple endpoints that return sensitive data including configuration details.” The bug has been logged as CVE-2018-6460.
While an argument can be made that attacks via this vulnerability would be limited to LANs since the server is installed on a user’s device, the technique known as DNS rebinding could be employed to attack via WANs, Yibelo added.
“In a DNS rebinding, any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost or 127.0.0.1 (making it accessible from the WAN),” he wrote.
AnchorFree could not immediately be reached for comment, but the company told ZDNet it had investigated Yibelo’s report and determined that while the vulnerability could reveal “generic” information such as the country where a user lives, it does not expose their real IP address or personal information. The company plans to issue an update this week that will remove the component that can leak generic data.
HotSpot Shield’s profile rose sharply during the Arab Spring protests, as citizens used it to circumvent government censorship and shield their online identities. The company said last year it had reached 500 million installs. Developed by AnchorFree, it operates on a freemium business model, with paid versions offering more advanced features and the elimination of ads.
In August, the Center for Democracy and Technology filed a complaint with the Federal Trade Commission, alleging deceptive trade practices on the part of HotSpot Shield over its logging activities, use of third-party tracking libraries for advertising purpose, and data-sharing with partners.
AnchorFree denied any wrongdoing, saying it does not engage in any data-collection practices that allow individual users to be identified. In November, the company released a transparency report that reiterated its stance on user privacy and detailed the number of requests it had received from governments for information.
Meanwhile, other VPN vulnerabilities–one extremely serious in nature–have emerged of late. Last month, Cisco patched a vulnerability in its Adaptive Security Appliance software that received a CVSS base score of 10.0, the highest possible. Days later, the vendor reissued the patch after discovering more attack vectors.
In December, researchers found that TunnelBear, another highly popular VPN app, was vulnerable to man-in-the-middle attacks via a weakness in how it implemented certificate pinning and verification when creating a Transport Layer Security (TLS) connection.