ZenMate has become the latest VPN provider to have vulnerabilities in its Chrome extension revealed. And as the researcher who uncovered the problem has highlighted, the issue he found left user data easily accessible and even made it possible for their real IP Address to be identified.
Browser extension issues
Like many of the major VPN providers, ZenMate offers several different browser extensions. These are estimated to have around 3.5 million users combined. However, one security researcher has uncovered a glaring and fairly common flaw in the extensions for both Chrome and Firefox.
The findings come from an American researcher called Matthew Bryant who also goes by the handle ‘Mandatory’ and runs ‘The Hacker Blog’.
In a recent blog post, he revealed that both the Chrome and Firefox extensions trusted a domain called zenmate.li. However, Bryant noticed that this domain had expired. So, he bought it and discovered that it was possible to make privileged API calls to the browser extension via message passing.
This means that, by owning that domain, he was able to send instructions to the browsers and they, in turn, would respond. Among the things he was able to command them was to reveal user data.
What ZenMate user data was accessible?
Bryant found that he was able to instruct these ZenMate browser addons to dump user data from any user who visited the ZenMate.li page. Among the information he was able to access was Email addresses, account ID, subscription information, the account holder’s country, and device information including the last sign-in time.
Even more worryingly, he was also able to switch off their VPN connection remotely and so reveal their actual IP Address. He could even instruct the browser extension not to proxy when visiting specifically declared sites, meaning that IP Address would continue to be revealed whenever the user visited those sites.
This is a huge amount of data that could be accessed and is a severe embarrassment for ZenMate. But to their credit, ZenMate seem to have taken the matter seriously and acted extremely fast once Bryant informed them.
He states that he emailed them about the issue on May 28that 2.15am and they had confirmed the issue by 2.38am the same day. By 9pm, they issued a patch for both the Chrome and Firefox extensions. Now the only domain which can command these two extensions is zenmate.com
So, provided you have downloaded the latest updates for your extension, then you should no longer be at risk from this vulnerability. Indeed, the fact that Bryant had bought the domain rather than a hacker with more nefarious intentions, means you shouldn’t have to worry too much in any case.
But it does raise questions about whether there might be other domains that could be exploited in a similar way. It is to be hoped that ZenMate is now assessing their browser extension to try and ensure there are no similar issues lurking.
The possible risks of using browser extensions
This is not the first time that browser extensions have come under the microscope as a result of security vulnerabilities being discovered. Last year, we reported on no fewer than eight Chrome extension being hacked. These included a number of free VPNs, which are always less secure than proper ones.
But as Bryant explained in the case of the ZenMate vulnerability, browser extensions are simple programmes and can often be easier to compromise. The vulnerability he identified was due to a coding pattern which he described as fairly common in browser extensions.
Once an extension is connected to a domain, all a hacker needs to do it get control of that domain, or any subdomain connected to it, and they would be able to command the extension in the way that Bryant could with ZenMate’s.
This means that while we would not recommend all users to stop using Browser extensions for their VPNs, we would urge a little caution. It is increasingly recognised that these extensions are not as robust as the main VPN apps or a manual VPN setup.
Therefore, if you are particularly privacy-conscious, using your VPN in a country where you might face reprisals, or undertaking any type of sensitive activity, you might be best advised to opt for the app over the browser extension. Just for the extra peace of mind, it will bring you.