Hotspot VPN security flaw puts 500M users at risk of losing anonymity, privacy

An attacker could exploit the bug to determine a user's real IP address.

How to get your IT and security teams to work in sync
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A flaw in a popular VPN service called Hotspot could allow an attacker to determine a user's geographic location and other information.
  • By compromising Hotspot VPN users' anonymity, hackers could put them at risk for retaliation from their government or enemies.

A flaw in the Hotspot Shield VPN could allow an attacker to identify users of the service, putting some at risk of retaliation for their online actions. The vulnerability was first discovered by independent security researcher Paulos Yibelo, who posted a vulnerability report.

VPN services, which mask a user's real IP address, are often used by political activists and rebels to hide their physical location from their enemies or an oppressive government regime, for example. In these instances, a flaw like the one in Hotspot Shield could put these users at risk for serious retaliation. For everyday users, it could lead to privacy violations at the very least.

To work, Hotspot Shield must install a web server on an end user's machine, and that is where the vulnerability lies. This server uses JSON, Yibelo wrote, and hosts some sensitive information.

SEE: Information security incident reporting policy (Tech Pro Research)

"User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address," Yibelo wrote in his vulnerability report.

As noted by our sister site ZDNet, Hotspot Shield has an estimated 500 million users. By combining the data leaked through the flaw with other readily-available information, it could cause problems for many of these users.

ZDNet tested the code provided by Yibelo, and was able to recreate the flaw on a collection of different machines on several networks.

In a separate interview with ZDNet, Yibelo said he was occasionally able to identify some users' real IP addresses, but not all the time. However AnchorFree, the parent company of Hotspot Shield, denies this claim.

AnchorFree's Tim Tsoriev told ZDNet that the vulnerability only leaked generic information, such as the country of a user, but that the company was working on a patch to eliminate that soon.

Also see

Image: iStockphoto/alphaspirit