Earlier this week, ZDNet broke news of a security vulnerability in AnchorFree’s Hotspot Shield free VPN service.
A security researcher discovered an “an information disclosure bug” which leaked user data and allowed users of the VPN service to be identified. The leaked data includes details such as user country and name of the Wi-Fi network users are connected to (if utilizing Wi-Fi). As the researcher pointed out, this information can be used to determine a user’s location and identity, without great difficulty: “By correlating Wi-FI network name with public and readily available data.” The vulnerability was found in the web server Hotspot Shield installs on a users’ computer. ZDNet replicated and verified the findings, as well.
This is, obviously, hugely concerning for users of the service. A primacy use for VPNs is to protect user data and privacy, and mask user location. A VPN revealing any personal information invalidates this purpose, violating user privacy not to mention eroding trust in the provider. VPNs are also often used to circumvent censorship, meaning those seeking a safe and secure way to communicate could also be at risk.
AnchorFree issued a response to this report, stating the bug did not leak any personally identifiable information: “With our commitment to transparency, we felt it important to let our users know precisely what happened, and to clarify that while we agree that the Wi-Fi network name could have been leaked due to the bug, this vulnerability did not leak any personally identifiable information.” This statement came with followed up with a caveat: “However, we did discover that in some cases generic information such as a user’s country or their Wi-Fi network name could be exposed.” They also stated they issued a fix for this issue on February 6, 2018.
Not The First Time
This is hardly the first time the company has been in hot water. Just a few months ago they were under attack for use of misleading marketing and the mistreatment of user information. In August, advocacy group Center for Democracy and Technology filed a formal complaint with the Federal Trade Commission (FTC) over the situation, accusing Hotspot Shield of engaging in several deceptive and unfair business practices, namely promising users anonymity and complete privacy, while in fact selling user data, implementing persistent cookies, and in the most egregious instances of all, redirecting traffic to partner domains.
We again remind VPN users and users of all privacy products to do their research when making decisions about who to trust with their personal privacy and information. View our checklist on the matter here.
VyprVPN: Always Secure
In the wake of this recent news, we want to reaffirm to our users that at VyprVPN we take security very seriously, and our VPN services are completely private and secure. We own and operate 100% of our network and hardware, and guarantee user privacy from end-to-end. Read more about the importance of trustworthiness in our article, “You Are the Product: The Price of Free in the Growing Privacy Industry.”