Hotspot Shield, which enjoys a user base of 500 million users globally, has encountered this bug that was first discovered by Paulos Yibelo, a web application security researcher and penetration tester. AnchorFree has acknowledged the bug and have ensured that a quick fix to the situation will be delivered. Here are the details of the matter.
Hotspot Shield VPN vulnerable to data leaks
For the uninitiated, a VPN or Virtual Private Network is a service that allows you to keep your identity and other credentials secured and secret while browsing the internet. It is always more secure to browse the web using a VPN and Hotspot Shield is one such service, which is currently being used by over 500 million people around the world. Recently, a web application security and research penetration tester, Paulos Yibelo discovered a bug in the VPN, using which “an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.” The National vulnerability database of USA has listed the vulnerability as CVE-2018-6460. According to Paulos, the bug exposes data about the machine from which internet is being accessed, compromising location and other basic credentials of the user. AnchorFree, the parent company of Hotspot Shield was aware of the issue since December but they did not address it at that time. However, the company has assured that they encrypt all the user data including passwords and other credentials and will soon introduce an update to fix the bug. You can get Hotspot Shield extension for Google Chrome here.