Hotspot Shield VPN flaw can betray users’ location
A flaw in the widely used Hotspot Shield VPN utility can be exploited by attackers to obtain sensitive information that could be used to discover users’ location and, possibly and ultimately, their real-world identity.
About the vulnerability
According to the entry for the vulnerability (CVE-2018-6460) in the National Vulnerability Database, Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895, and the web server uses JSONP and hosts sensitive information including configuration.
But user-controlled input is not sufficiently filtered: “An unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.”
According to researcher Paulos Yibelo, who discovered the flaw, the attacker can also extract information such as the users’ country code and Wi-Fi network name, if the user is connected to one.
Yibelo tried to contact AnchorFree (the makers of the utility) in December to share his discovery but apparently received no response.
He then tried to go through the SecuriTeam Secure Disclosure vulnerability disclosure program, and the company replied by saying they are looking into the matter.
The PoC exploit
After Yibelo released more details about the flaw and proof-of-concept exploitation code, and ZDNet confirmed they were able to consistently discover devices’ network name and ID (but not their IP address) by using it, AnchorFree finally responded to inquiries.
Tim Tsoriev, VP of Marketing Communications at AnchroFree, said that they have reviewed and tested the researcher’s report and that they found that the vulnerability doesn’t leak the user’s real IP address or any personal information, but can expose generic information such as the user’s country.
“We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information,” the spokesperson concluded.