If you lot are using the pop VPN service Hotspot Shield for online anonymity as well as privacy, you lot may inadvertently hold upward leaking your existent IP address as well as other sensitive information.
Developed yesteryear AnchorFree GmbH, Hotspot Shield is a VPN service available for gratis on Google Play Store as well as Apple Mac App Store amongst an estimated 500 meg users some the world.
The service promises to "secure all online activities," enshroud users' IP addresses as well as their identities as well as protect them from tracking yesteryear transferring their mesh as well as browsing traffic through its encrypted channel.
However, an 'alleged' information disclosure vulnerability discovered inwards Hotspot Shield results inwards the exposure of users data, similar the call of Wi-Fi network call (if connected), their existent IP addresses, which could let out their location, as well as other sensitive information.
The vulnerability, assigned CVE-2018-6460, has been discovered as well as reported to the fellowship yesteryear an independent safety researcher, Paulos Yibelo, but he made details of the vulnerability to the populace on Mon later on non receiving a reply from the company.
According to the researcher claims, the flaw resides inwards the local spider web server (runs on a hardcoded host 127.0.0.1 as well as port 895) that Hotspot Shield installs on the user's machine.
This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests every bit good that inwards reply could let out sensitive information nearly the active VPN service, including its configuration details.
"http://localhost:895/status.js generates a sensitive JSON reply that reveals whether the user is connected to VPN, to which VPN he/she is connected to what as well as what their existent IP address is & other arrangement juicy information. There are other multiple endpoints that render sensitive information including configuration details," Yibelo claims.
"User-controlled input is non sufficiently filtered: an unauthenticated assailant tin post a POST asking to /status.js amongst the parameter func=$_APPLOG.Rfunc as well as extract sensitive information nearly the machine," the vulnerability description reads.Yibelo has every bit good publicly released a proof-of-concept (PoC) exploit code—just a few lines of JavaScript code—that could permit an unauthenticated, remote assailant to extract sensitive information as well as configuration data.
However, ZDNet reporter Zack Whittaker tries to verify researcher's claim as well as constitute that the PoC code solely revealed the Wi-Fi network call as well as country, but non the existent IP address.
In a statement, AnchorFree spokesperson acknowledged the vulnerability but denied the disclosure of existent IP address every bit claimed yesteryear Yibelo.
"We guide maintain constitute that this vulnerability does non leak the user's existent IP address or whatever personal information, but may expose some generic information such every bit the user's country," the spokesperson told ZDNet.
The researcher every bit good claims that he was able to leverage this vulnerability to plow over remote code execution.
Hotspot Shield every bit good made headlines inwards August final year, when the Centre for Democracy as well as Technology (CDT), a USA non-profit advocacy grouping for digital rights, defendant the service of allegedly tracking, intercepting as well as collecting its customers' data.
