According to independent cybersecurity researcher Paulos Yibelo, an information disclosure vulnerability discovered in Hotspot Shield VPN Service has led to users’ data being inadvertently leaked. The vulnerable data includes IP addresses, WiFi network names, users’ location as well as other sensitive information.
Hotspot Shield is an extremely popular VPN service and is available for free on both Google Play Store and Apple Store. The company’s own website claims it is the ‘world’s most popular VPN’. At the last count it had an impressive 500 million users worldwide.
According to Mr Yibelo, the vulnerability resided in the local web server that Hotshot installs on a user’s device. He found the server was vulnerable to unauthenticated requests and could reveal sensitive data about the active VPN service, including its configuration details.
Top five essentials: How to choose a VPN
AnchorFree GmbH, the company that produces Hotspot, did admit that while the vulnerability exposed some generic information it insisted it did not leak the user’s real IP address.
Shield cracked
This is not the first time Hotspot has faced data issues. Back in August the company made headlines when it was accused by the non-profit advocacy group, the Centre for Democracy and Technology (CDT) of tracking, intercepting and collecting its customers’ data.
This followed hot on the heels of the revelation that Kaspersky’s Secure Connection VPN Service had also been embroiled in controversy after questions were asked about the permissions it requests upon installation. This included access to locations, calls and contacts, along with device and app history.
VPN vs Incognito: Which wins?
The latest Hotspot Shield VPN revelation once more throws up the question of how far we can trust our VPN services. Some amass your data such as connection times, dates, IP addresses and keep track of how long you’re connected.
And, while they are secure there may be a question of what they will do with that data. Whether that information could be vulnerable itself or whether they will sell it on to a third party.
Free is never free
Experts have long recommend doing your homework before deciding on a VPN. Particularly for free VPNs.
Free ones have to make money somehow, so you should assume they will make money from your data, logging your activity and using it for marketing purposes.
Paid-for VPNs are a different matter. It is always worth checking their policies on data usage.
Some VPNs will state they do not keep logs and purge them weekly or daily. Some will try to dance around the issue by saying they keep ‘whatever logs are required by law.’ Which can mean anything law enforcement agencies desire.
It is worth looking at review articles that discuss a company’s logging policies and if you can’t find the answers contact them directly and ask.
Finally, always remember that while VPNs are a useful security service they are a huge source of valuable data and, sadly there are cases emerging of VPNs exploiting their customers’ data.
Do your research to find the right services and you’re much more likely to put your valuable personal data beyond the reach of prying eyes.