Skip to main content

Critical vulnerabilities found in popular VPN apps claim security researchers

(Image credit: Shutterstock / Elaine333)

Researchers have found various flaws in popular VPN applications that may have exposed users to the hackers allowing them to install malicious updates and ransomware remotely. 

According to the experts, top VPN apps including PrivateVPN and Betternet were found to be able to download fake software updates forcing users to install malware, keyloggers, etc. eventually helping in stealing private data.

Other VPN applications like Torguard, CyberGhost, and Hotspot Shield  allowed the researchers to intercept the communication, but only between the malicious system and update endpoint, so they were not considered to be vulnerable.

In an email to TechRadar Pro, Torguard alleges that VPNPro's article is misleading and will only scare the regular user.

"Our app is not vulnerable in any way, what they refer to hear is is a simple update to call to our update server, they can check this call yes (big deal) anyone can see this through a regular firewall, but they can't do anything with it, our app verifies every site/certificate it needs to connect with and has a whitelisted set of certs stored (hardcoded) into the app so it would never accept anything other than the real certs - this way nothing could ever tell you to do any different, its extremely misleading to the regular user, it makes out TorGuard VPN can be “Intercepted” which is complete nonsense", the email added.

Hotspot Shield also reacted to the claims by VPNPro saying

" It is not possible to decrypt communications between our clients and our backend solely via a rogue WiFi or takeover of the router. The only way this can be accomplished is by also breaking military-grade, 256-bit encryption (as Cyberghost notes in their response) or putting a malicious root certificate on the user's computer. This is not easily done, and certainly not from just getting the user to join a rogue WiFi. If either of these things happened, then most network communications would be compromised - including all web browsing - banking websites, etc. It would be great for you to make this clearer in your piece. 

Also, it is important to note that this research does not focus on the encryption of actual VPN sessions, just on how the client application communicates with our servers for software updates, etc. Hotspot Shield uses our proprietary Hydra VPN protocol, which implements an advanced security technique called certificate pinning, so even a malicious root certificate will not affect our clients. Other VPN services that use open source implementations of VPN protocols would actually be at risk of compromise using the techniques described."

Both Betternet and PrivateVPN were informed in February 2020 following which the flaws have been patched, however, VPNpro states that, “rather than protect their users’ data, PrivateVPN and Betternet have instead overlooked a crucial security aspect that allows for malicious actors to steal that data or do even worse actions.”

Vulnerable VPNs

While PrivateVPN not only downloaded a fake software update, it installed the update without the letting know about it. Betternet, on the other hand, did download the fake app but it sent a notification to the user to update the desktop application.

Once installed, it would be a cakewalk for hackers to collect and steal personal data, process unauthorized payments, install ransomware on the device, or use the system of various illegal activities.

Other VPN apps like ExpressVPN, Surfshark, NordVPN, Tunnel Bear, IPVanish, PIA, Windscribe, Ivacy, HMA, VyprVPN, ProtonVPN, TurboVPN, PureVPN, Hide.me and Hola VPN which were a part of this test were found to be safe and did not have this vulnerability. VPNpro states that the researchers were not able to intercept the connection made using these VPNs.

To ensure safety, the experts advise against downloading anything especially software updates while you’re connected to free or public WiFi and suggest to “be extra safe and not use public wifi at all, or make sure that the wifi you’re connecting to is actually from the cafe, airport, or whatever location. That’s one important step you can take, but it can be hard to verify the free wifi you’re using.”

Via: VPNPro