World-renowned artists create original art to raise money » Discussions

Researcher Claims Hotspot Shield VPN Service Exposes

  • Leader
    December 26, 2019
    Virtual Private Network (VPN) is one of the best solutions you can have
    to protect your privacy and data on the Internet, but you should be more
    vigilant while choosing a VPN service which truly respects your

    If you are using the popular VPN service Hotspot Shield for online
    anonymity and privacy, you may inadvertently be leaking your real IP
    address and other sensitive information.

    Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available
    for free on Google Play Store and Apple Mac App Store with an estimated
    500 million users around the world.

    The service promises to "secure all online activities," hide users' IP
    addresses and their identities and protect them from tracking by
    transferring their internet and browsing traffic through its encrypted
    channel.However, an 'alleged' information disclosure vulnerability
    discovered in Hotspot Shield results in the exposure of users data, like
    the name of Wi-Fi network name (if connected), their real IP addresses,
    which could reveal their location, and other sensitive information.

    The vulnerability, assigned CVE-2018-6460, has been discovered and
    reported to the company by an independent security researcher, Paulos
    Yibelo, but he made details of the vulnerability to the public on Monday
    after not receiving a response from the company.

    According to the researcher claims, the flaw resides in the local web
    server (runs on a hardcoded host and port 895) that Hotspot
    Shield installs on the user's machine.

    This server hosts multiple JSONP endpoints, which are surprisingly
    accessible to unauthenticated requests as well that in response could
    reveal sensitive information about the active VPN service, including its
    configuration details.

    Yibelo has also publicly released a proof-of-concept (PoC) exploit
    code—just a few lines of JavaScript code—that could allow an
    unauthenticated, remote attacker to extract sensitive information and
    configuration data.When comes to the issue of online privacy and
    security, we suggest to use a VPN, and our recommendation is