Hotspot Shield Flaw puts VPN users at Risk

You just can’t be too careful these days when choosing your VPN provider. In early February of 2018 it was revealed that a security glitch in the popular HotSpot Shield platform was capable of releasing user locations and IP addresses. The flaw was exposed by a security researcher named Paulos Yibelo. HotSpot Shield claims it has since issued a fix for its uers.

Free VPN Giant Rocked With Claims of Security Weakness

HotSpot Shield is one of the world’s leading providers of so-called “free” VPN service. More than 500 million users around the world have downloaded and used the brand’s VPN. Their main reason for doing so is the promise of anonymity and security. Some individuals depend upon this VPN service to keep their online activities hidden while others use the service to unblock restricted websites based on their geographical location. The HotSpot Shield platform is developed by AnchorFree.

The company claims to keep its users anonymous by funneling traffic through its own encrypted tunnels. This process is designed to make it almost impossible for anyone to determine a user’s location and other sensitive details which could reveal their identity. Someone who was able to determine such information could, in theory, link a HotSpot Shield users to specific websites and browsing habits.

Paulos Yibelo, and independent security researcher, discovered an information disclosure bug in the HotSpot Shield framework. Yibelo claims that the bug can reveal the name of a user’s personal WiFi network. This can then be used to cross-reference other information and determine precisely where a person is located.

According to an article at ZDNet, Yibelo stated that “an attacker can easily narrow down or pinpoint where the victim is located.” This is a particularly dangerous scenario for VPN users who live in an authoritarian state. Some of these individuals are dissidents who oppose the authoritarian regime. They use VPN technology to get information about the government’s activities out of the country. In places like China, the consequences for a dissident can be very sever. The flaw located in HotSpot Shield could specifically put those people at serious risk.

ZDNet conducted their own tests to independently confirm the flaw found by Yibelo. Testers used a proof-of-concept code provided by Yibelo to reveal a user’s WiFi network. The testing was conducted on many different machines and on mutiple networks. The results on all of them were the same across the board.

The HotSpot Shield Security Flaw

The precise nature of the HotSpot Shield security flaw involves a vulnerability in the web server installed by the VPN on the user’s computer. The proof-of-concept code is only a few lines long, but it calls from a JavaScript file that is hosted on the web server. The call then returns sensitive information and data. Yibelo claims that writing the code to access the sensitive information took only a few seconds.

Yibelo’s code only returns sensitive information, but the security researcher was quick to point out that the code could be modified in such a way that it permits collection and storing of user information. This would be similar to the manner in which hackers gain information from fake websites that have been booby-trapped.

In select circumstances, Yibelo was able to reveal IP addresses. The testers at ZDNet were not able to duplicate this result. AnchorFree was quick to respond to the findings, stating that no IP addresses were ever at risk on its platform.

A spokesman for the company stated that Yibelo’s report was reviewed and that HotSpot Shield conducted their own testing. An update to the framework was promised, and that update has since been delivered to users of the VPN.

HotSpot Shield has previously been accused on snooping on the browsing activities of its users in order to provide information to third-party advertising companies. Sadly, this is common among VPN providers who claim their service is free.