Virtual Private Network (VPN) tools are supposed to make users feel safe on the Internet, hiding their identity from eventual snoopers, and helping them preserve their privacy in general. That doesn't seem to be the case with Hotspot Shield, however, which put its 500 million users at risk of disclosure of sensitive information for two months.
The vulnerability affecting the VPN (CVE-2018-6460)Â was spotted by security researcher Paulos Yibelo. In a blog post, he explains Hotspot Shield runs its own web server to communicate with its own VPN client, a server that runs on a hardcoded host 127.0.0.1 and port 895. It also hosts sensitive JSONP endpoints that return multiple interesting values and configuration data.
Without going into too many technical details, this combination could help potential attackers get their hands on sensitive information without anyone knowing, including whether the user is connected to a VPN, which VPN, and, the gravest part of it all - their real IP address. Since the whole point of working through a VPN is to hide that IP address, the fact that someone can easily get their hands on it is problematic.
Now, it's not uncommon for this type of tools, or any other type of tools, to carry bugs. The issue at hand is that the company behind the VPN was informed of the bug back in December and did nothing in the time passed. Yibelo claims to have left multiple twitter messages and opened tickets with the company, but they have all gone without reply.
However, ZDnet tried to replicate the Proof of Concept and could not get the same results as Yibelo. The company behind the VPN, as well, claims they did not ignore Yibelo's messages, but simply did not get the same results as he did when running tests.
In an official statement, AnchorFree says their team could not replicate the vulnerability as presented in Yibelo's proof of concept. "While we agree that the Wi-Fi network name could have been leaked due to the bug, this vulnerability did not leak any personally identifiable information. A fix to the Wi-Fi network name vulnerability was released on February 6, and Hotspot Shield users remain secure. The vulnerability is no longer there," the company added on the matter.