Hotspot Shield Is Back in the News – This Time for Leaking User Locations


Hotspot Shield continues to make it to (in)security stories despite its popularity. While you may trust your virtual private network to be just that - private - it looks like you could be at risk of information leak. A security researcher has disclosed a vulnerability in Hotspot Shield that can enable attackers to identify users and siphon off data that may include a user's real IP addresses.

"I was focusing my research on paid commercial VPN clients with 2M+ installs," Paulos Yibelo writes. "One of the clients that stood out was Hotspot Shield, with similar builds on Android, Windows and Chrome. With each carrying over 3M+ installs worldwide. While analyzing this application, I noticed its riddled with bugs that allow sensitive information disclosure and easy compromise."

Hotspot Shield Accused of Snooping on Its Users’ Browsing Habits

When there's no anonymity on VPNs

Yibelo revealed that when the Hotspot Shield VPN is turned on, it runs its own web server to communicate with its own VPN client. "The server runs on a hardcoded host and port 895," researcher writes. "It hosts sensitive JSONP endpoints that return multiple interesting values and configuration data."

for example, http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.

The researcher has released the proof of concept that calls from a JavaScript file hosted on the web server to return sensitive values and configuration data. The proof of concept and researcher's details suggest that the WiFi name and the country of a user can be leaked to attackers.

"User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine," the advisory published by the National Vulnerability Database reads.

Tracked as CVE-2018-6460, Yibelo added that in some cases real IP addresses can also be identified and the possibility is also mentioned in the CVE report. However, AnchorFree - the company behind Hotspot Shield - denies that possibility. "We have reviewed and tested the researcher's report," AnchorFree spokesperson said.

"We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country." The company assured that it will release an update this week that will "remove the component capable of leaking even generic information."

While AnchorFree is quick to respond now, the company didn't pay attention to the researcher when the bug report was originally submitted in December despite multiple attempts. The bug was then released by the researcher as a zero day. It's also important to recall that it's been hardly a few months that the company was alleged of snooping on its consumers using its free VPN service and redirecting their traffic to partner websites that also included advertising companies.