An independent security researcher has discovered a vulnerability in the SaferVPN Chrome Extension which could have put user data at risk.
The discovery was made by Meih Yibelo, a 19-year-old Ethiopian security researcher who goes by the name of Paulos Yibelo online. He is the same researcher who found flaws in both Hotspot Shield and PureVPN earlier this year.
Yibelo is making quite a name for himself at the moment and uncovering new bugs on a pretty regular basis. With his current focus on VPNs, his work is certainly a great benefit to the VPN community.
SaferVPN Chrome Extension flaw
The latest security flaw he has discovered is a remarkably simple one. In testing, Yibelo found that the SaferVPN Chrome Extension will crash when it tries to send a series of simultaneous requests to a non-existent server.
In other words, it is extremely easy to make the SaferVPN Chrome Extension crash. All it takes is a fairly mild Denial of Service (DoS) attack.
And when it does crash, there is a serious problem. Because it then leaks all of the personal details that most VPN users want to keep private.
This includes the users original IP Address, DNS, and various other details. Obviously, this is the core data that VPNs should be protecting, so it is deeply worrying that the SaferVPN Chrome Extension could be compromised so easily in this manner.
Further research from Yibelo has led to him describing the new bug, which has been given the code CVE-2018-10308, as ‘weird’. The researcher claims to have been unaware that Chrome Extensions could be compromised in this way.
He also claims that further examination suggests that the coding behind the extension intentionally killed it when multiple non-existent DNS queries were made.
How worried should you be?
Any vulnerabilities in a VPN is cause for concern and the work of security researchers like Yibelo is important to help uncover them and get them fixed. But in this instance, we would urge readers not to worry too much, even if you do use the SaferVPN Chrome extension.
SaferVPN were contacted by Yibelo on March 29th to inform them about the vulnerability and on April 19th their patch for it officially went live. That means that, as long as you ensure your SaferVPN Chrome Extension is fully up to date, this vulnerability is no longer a concern.
Their turnaround time on fixing the issue is impressive and certainly knocked spots off Hotspot Shield’s response to his previous discovery. They failed to respond at all when informed about Yibelo’s previous discovery, even when he submitted it through a third-party bug bounty programme run by Beyond Security.
In contrast, SaferVPN acknowledged the vulnerability, checked it out, and then patched it in around three weeks, which is, of course, the responsible thing to do. Yibelo did not make the vulnerability public until a patch was in place.
There is also no evidence from either Yibelo or Safer VPN that suggests that this vulnerability has been exploited by any hackers or other malicious agents.
Not a VPN client issue
It is also important to note that it was a flaw in the Chrome Extension and not the VPN client itself. Chrome extensions are simple plugins to the browser and will always be less secure than the proper VPN client.
If you do have concerns about VPN Chrome Extensions as a result of this story, simply switching to use the VPNs app instead should bring you peace of mind.
All computer software can have vulnerabilities, and the best VPN providers will always go out of their way to minimize these on their software. But they can never be 100% sure, which is why the work of independent security researchers like Meih Yibelo is so important.
By identifying these issues and then informing the VPN provider about them they are providing a valuable service to the VPN community. And for that, we should all be thankful.