Flaw in popular VPN service reveals user location and Wi-Fi name

February 8, 2018

By

You may have heard of something called a Virtual Private Network or VPN, for short, as a way to boost your online security and privacy. A VPN service is also a good way to hide your internet tracks from would-be snoops.

However, a security researcher just found a security flaw in one of the most popular free VPN services around. This flaw can reportedly reveal a user’s location and Wi-Fi network name and it’s a big privacy risk if successfully exploited.

Read on and I’ll tell you what this VPN security flaw is all about.

What is Hotspot Shield?

Hotspot Shield is a popular VPN service and it is used by around 500 million users around the world. It provides its users with privacy and anonymity while surfing the web.

A VPN works by encrypting your connection, which keeps your activity private. It also hides your physical location and IP address when you browse.

Think of it as a middleman that provides a tunnel between you and the websites you’re visiting. With a VPN, your IP address can be concealed from prying eyes, even from your ISP, so your browsing activity can’t be readily tracked to you.

HotSpot Shield Security Flaw

Independent bug hunter Paulos Yibelo just revealed a flaw in AnchorFree’s HotSpot Shield that can disclose a user’s location and Wi-Fi network name.

Yibelo made his discovery public on Monday after AnchorFree failed to respond to his Twitter messages and tickets in December. He also reported the flaw to Beyond Security who is still looking at the issue.

The information disclosure bug was found on the webserver that Hotspot Shield installs on a user’s computer. With Yibelo’s proof-of-concept code, a hacker can extract configuration data, including location and Wi-Fi network names from the installed web server.

This information can then be used to reveal users by linking the location and Wi-Fi network data.

Although the code only returns values locally, Yibelo said that it can be easily adapted for use in poisoned websites. Yibelo also claimed that he was able to extract real IP addresses of users too.

AnchorFree’s response

In its defense, AnchorFree said it has reviewed the code and it denies Yibelo’s claims. The company said the flaw does not leak “users’ real IP addresses nor any personal information.”

However, AnchorFree does acknowledge that the flaw “may expose some generic information such as the user’s country.”

The company also said that it is going to issue an update to Hotspot Shield this week to remove the source of the flaw.

“We are committed to the safety and security of our users and will provide an update this week that will completely remove the component capable of leaking even generic information,” AnchorFree’s Tim Tsoriev said in an official statement.

He also believes that Hotspot Shield vulnerability does not leak any personal information.