Hotspot Shield, a private network meant to help users browse the web anonymously and privately, has been made vulnerable. The VPS is developed by AnchorFree and has an estimated 500 million users that use the free service across the world.
A security researcher by the name of Paulos Yibelo found a bug that allows a person’s Wi-Fi name, user data and even location to be leaked.
ZDNet verified the findings, which uses coding to access the vulnerability. The vulnerability is on the web server that is installed on the end-user’s computer. The server is hosted on port 895 and all that’s needed to reveal the user’s information is a string of JavaScript coding. Sensitive configuration and value data is returned if the coding is run.
The vulnerability may not have been used by hackers yet, but Yibelo claims that the coding he produced in seconds could be placed on a website to gather user information. The proof of concept code has been tested and verified on user computers.
He claims that in some limited circumstances, he has been able to obtain the user’s real IP address, ZDNet has not been able to confirm this, and AnchorFree has denied that a user’s IP address can be accessed.
The company claims that the bug may expose the user’s country or origin and other generic information.
AnchorFree released a fix this week, one day after the code was made public, that safeguards even generic data from being accessed. Yibelo claims to have sent the proof of concept code to AnchorFree and waited since December for a reply. He also submitted the bug to Beyond Security, which also never replied. He decided to release the proof of concept and coding publicly on Monday to push the company to fix the issue.
The bug is a limited one that utilizes the software’s server installed that is coded to be on port 895 at the host: 127.0.0.1. DNS binding could be used to attack a user and gain their information, and the vulnerability is nearly limited to LANs otherwise.
AnchorFree claims that the vulnerability only impacted Windows users and did not affect other platforms. Other free Windows VPS options were not impacted by the bug.
AnchorFree claims that they did receive the bug report on December 20, and that the company’s team was testing the proof of concept ever since. The company claims that while some user information may have been exposed, the company’s security team could not collect any data that would deanonymize their users.
The company’s free VPS service rose in popularity during Arab Spring protests and has been used by citizens to circumvent government controls. The company’s VPS is a free version, but there is a premium option that offers advanced features and removes ads.
Hotspot Shield is also at the center of another controversy in which the Center for Democracy and Technology filed a complaint about the company’s logging activities. AnchorFree has also denied these claims stating that they do not collect information that could identify their users.