Hotspot Shield VPN Bug Went Ignored for Two Months, Gets Fix

  • Hotspot Shield VPN bug can expose sensitive data
  • Latest Hotspot Shield Update fixes the vulnerability

Virtual Private Network (VPN) tools are supposed to make users feel safe on the Internet, hiding their identity from eventual snoopers, and helping them preserve their privacy in general. That doesn't seem to be the case with Hotspot Shield, however, which put its 500 million users at risk of disclosure of sensitive information for two months.

The vulnerability affecting the VPN (CVE-2018-6460) was spotted by security researcher Paulos Yibelo. In a blog post, he explains Hotspot Shield runs its own web server to communicate with its own VPN client, a server that runs on a hardcoded host and port 895. It also hosts sensitive JSONP endpoints that return multiple interesting values and configuration data.

Without going into too many technical details, this combination could help potential attackers get their hands on sensitive information without anyone knowing, including whether the user is connected to a VPN, which VPN, and, the gravest part of it all - their real IP address. Since the whole point of working through a VPN is to hide that IP address, the fact that someone can easily get their hands on it is problematic.

Hotspot Shield Client

Now, it's not uncommon for this type of tools, or any other type of tools, to carry bugs. The issue at hand is that the company behind the VPN was informed of the bug back in December and did nothing in the time passed. Yibelo claims to have left multiple twitter messages and opened tickets with the company, but they have all gone without reply.

However, ZDnet tried to replicate the Proof of Concept and could not get the same results as Yibelo. The company behind the VPN, as well, claims they did not ignore Yibelo's messages, but simply did not get the same results as he did when running tests.

In an official statement, AnchorFree says their team could not replicate the vulnerability as presented in Yibelo's proof of concept. "While we agree that the Wi-Fi network name could have been leaked due to the bug, this vulnerability did not leak any personally identifiable information. A fix to the Wi-Fi network name vulnerability was released on February 6, and Hotspot Shield users remain secure. The vulnerability is no longer there," the company added on the matter.



How to Watch Chicago Blackhawks Games Online Without Cable

The Chicago Blackhawks are one of the most widely known teams in the NHL, with a lot of history and a fanbase...

How to Watch Pam & Tommy Online from Anywhere: Release Date, Cast, Plot, & Trailer

This biographical drama series surrounds the infamous controversial '90s tape of Motley Crue drummer Tommy Lee and then-wife actress Pamela Anderson that...

Attack On Titan Becomes Most “In-Demand” Series of 2021

Attack on Titan has indeed come a long way since the manga, by Hajime Isayama, first released in 2009. Of course, the...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari