Hotspot Shield VPN flaw can betray users’ location

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

A flaw in the widely used Hotspot Shield VPN utility can be exploited by attackers to obtain sensitive information that could be used to discover users’ location and, possibly and ultimately, their real-world identity.

Hotspot Shield VPN flaw

About the vulnerability

According to the entry for the vulnerability (CVE-2018-6460) in the National Vulnerability Database, Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895, and the web server uses JSONP and hosts sensitive information including configuration.

But user-controlled input is not sufficiently filtered: “An unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.”

According to researcher Paulos Yibelo, who discovered the flaw, the attacker can also extract information such as the users’ country code and Wi-Fi network name, if the user is connected to one.

Yibelo tried to contact AnchorFree (the makers of the utility) in December to share his discovery but apparently received no response.

He then tried to go through the SecuriTeam Secure Disclosure vulnerability disclosure program, and the company replied by saying they are looking into the matter.

The PoC exploit

After Yibelo released more details about the flaw and proof-of-concept exploitation code, and ZDNet confirmed they were able to consistently discover devices’ network name and ID (but not their IP address) by using it, AnchorFree finally responded to inquiries.

Tim Tsoriev, VP of Marketing Communications at AnchroFree, said that they have reviewed and tested the researcher’s report and that they found that the vulnerability doesn’t leak the user’s real IP address or any personal information, but can expose generic information such as the user’s country.

“We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information,” the spokesperson concluded.

Yibelo’s proof-of-concept code returns the JavaScript file with the information to the user, but he says that it can be easily modified and incorporated into websites to collect and store the user’s information. If wielded by an authoritarian state, the exploit could reveal information that could endanger some Hotspot Shield users.