Hotspot Shield VPN flaw reveals user location and more

Hotspot Shield VPN security bug

An Ethiopian security researcher has discovered a bug in free-VPN service Hotspot Shield’s service that leaks a users’ private details.

The 19-year old sleuth claims the bug allows the country of the user, Wi-Fi hotspot name and in some circumstances even the real IP Address of the user to be exposed.

Meih Yibelo who goes by the online moniker of Paulos Yibelo discovered the bug and released proof-of-concept code that reveals the serious security hole in action.

Hotspot Shield VPN flaw risk

Yibelo who admits on his personal blog that he “really enjoy breaking things” attempted to contact Hotspot Shield back in December to report the bug but claims his attempt at reaching out went ignored.

In further attempts to alert Hotspot Shield to the gaping hole in its product Yibelo claims he submitted the bug through a third-party bug bounty programme run by Beyond Security. Who it is also claimed received no response from Hotspot Shield when attempting to report the flaw.

The bug is made possible by the fact Hotspot Shield runs its own web-server on the user’s computer which as part of the code can be used to reveal certain aspects of the user’s connection, such as if they are connected to a VPN or not.

When Yibelo tagged added commands onto the code of the web-server he was able to reveal more sensitive details such as the user’s Wi-Fi name, country and even in some cases, real IP Address.

Few lines of code rebuffed

What’s most shocking is not only the fact that Yibelo claims his findings went ignored but the fact it is possible to be executed with just a handful of lines of code.

While you would need a level of skill to create code such as Yibelo did there are countless numbers of less scrupulous people who could do the same with less well intended intentions in mind.

While Yibelo’s findings are currently limited to being executed on users own machine, it’s claimed that it wouldn’t be too difficult to replicate on an attack system and vacuum up personal details about Hotspot Shield VPN visitors.

Hotspot Shield has rebuffed the claims that users IP Addresses can be revealed but have vowed to plug the hole in the coming days.

When is a VPN not a VPN

Hotspot Shield is more commonly accessed freely by users aiming to get a free VPN service. This however is nothing more than a browser extension and while often called a “VPN” it should be considered more as a simple Proxy.

The difference between the two is a fully-fledged VPN service such as those listed in our Best VPN Service for 2018 guide will encrypt and secure the entire connection of a user. This includes web-browsing, gaming, emailing and any other service accessed.

A simple Proxy is a “VPN” in a browser which secures only web-based activity such as anything you do while using Internet Explorer, Google Chrome or the like.

Aside from the gaping hole discovered by Yibelo a web-based VPN proxy service is almost always less secure than using a full VPN service.

It’s not the first time free VPN service Hotspot Shield have been wrapped over the knuckles for security issues. Back in August 2017, US organisation the Center for Democracy & Technology filed a complaint over the privacy claims made by Hotspot Shield.

So while the security issues are concerning it once again shows that free VPN services and often useful for nothing more than unblocking websites. When it comes to protecting your privacy using a paid-for VPN service and following other security best practises will further your ability to secure your online privacy.

Christopher Seward

Author: Christopher Seward

After 25 years of using the internet, Christopher launched one of the very first VPN comparison websites in 2013. An expert in the field his reviews, testing and knowledge have helped thousands of users get the correct VPN for their needs.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.