Recent investigations have identified severe vulnerabilities in three widely-used VPN services that could expose users’ actual IP addresses and other sensitive information. Virtual Private Networks (VPNs) are typically employed to safeguard online activities through data encryption, enhance security, and obscure users’ real IP addresses. Many users opt for VPNs to maintain online anonymity and circumvent restrictive internet censorship imposed by ISPs, thereby accessing otherwise blocked websites.

However, concerns arise when VPN services, thought to provide privacy protection, are discovered to leak personal data and user locations. A team of ethical hackers, engaged by VPN Mentor, reported that popular VPN services—HotSpot Shield, PureVPN, and Zenmate—exhibited vulnerabilities that pose significant risks to user privacy. The research team includes noted application security researcher Paulos Yibelo, alongside another ethical hacker known as “File Descriptor.” The third member’s identity has not been disclosed for privacy reasons.

Notably, PureVPN has previously faced scrutiny for violating its no-log policy, having assisted law enforcement in a cyberstalking case by providing user logs. Following extensive privacy testing, the team found all three VPNs leaking users’ real IP addresses—information that can lead to the identification of individual users and their locations. VPN Mentor emphasized that these vulnerabilities could enable governments, hostile organizations, or individuals to trace a user’s original IP address, effectively undermining the primary purpose of VPN technology.

While the exact issues related to ZenMate and PureVPN have yet to be resolved, VPN Mentor indicates that vulnerabilities within ZenMate are less critical compared to those found in HotSpot Shield and PureVPN. In the case of HotSpot Shield, the team identified three discrete vulnerabilities, all of which have since been addressed by the company. One of these flaws, attributed to its Chrome extension, could have permitted remote access for hackers to hijack and redirect web traffic to malicious sites.

Another critical vulnerability revealed a DNS leak that exposed users’ original IP addresses to DNS servers, allowing ISPs to surveil and log their activities. Moreover, a third flaw put users’ location data at risk, enabling potential attackers to circumvent the VPN by exploiting a loose whitelisting condition within the extension. Importantly, these vulnerabilities were present solely in HotSpot Shield’s free Chrome plugin, not its desktop or mobile applications.

Similar vulnerabilities affecting the Chrome plugins of Zenmate and PureVPN are still under wraps, as the respective companies have yet to issue fixes. Researchers suspect that many other VPN services could be grappling with comparable issues, amplifying the privacy risks faced by end users.

In terms of potential tactics and techniques used in this situation, the MITRE ATT&CK framework provides insight. Initial access could have been achieved through exploitation of the Chrome plugins, while persistence and privilege escalation may be integrated into the ongoing vulnerabilities. The manifested data leaks signify a failure in the protective measures ostensibly offered to users, indicating a pressing need for enhanced scrutiny and reform within the VPN industry.

Found this article interesting? Follow us on Google News, Twitter, and LinkedIn to read more exclusive content we post.