Hotspot Shield VPN compromised by location-revealing bug

News
By Darren Allan
published

A highly embarrassing flaw for a VPN service

Hotspot Shield

Popular VPN provider Hotspot Shield has run into trouble again, with news that the service suffers from a vulnerability that can potentially allow for the identification of the user’s location.

A security researcher, Paulos Yibelo, discovered the bug which leaks bits of user data including the country in which they’re located, and their Wi-Fi network name, among other sensitive details.

Yibelo noted that the information spilled could allow a third-party to narrow down or even pinpoint where the user is located. In some limited cases, he claims that he could actually directly determine the real IP address of the user (as opposed to the IP address given to the user by the VPN).

All this is obviously a hugely embarrassing flaw for a VPN service which is supposed to make the user more secure and maintain their anonymity online.

ZDNet, which spotted this development, has also tested and independently verified that this bug can be successfully exploited to discover a target user’s Wi-Fi network name (although the site didn’t find any leverage to directly uncover the user’s real IP).

Protective measures

We contacted Francis Dinha, CEO of OpenVPN, regarding advice on what folks can do to try and keep their personal data secure when online.

Dinha advised: “To truly protect your data and information, users need to look for a VPN service that only allows outbound connections and sessions to the internet. It’s also important to stay away from VPN services that install Proxy Servers on your device as this enables inbound connections and sessions.

“This is dangerous because inbound connections allow others to gain access to your device. For example, inbound connections are used to push ad notifications to your device. While they may seem convenient, it does put the user at greater risk.”

Hotspot Shield previously found itself in hot water last summer, when the VPN service was accused of ‘deceptive’ practices including logging user connection data and using it to achieve ends like better serving adverts to users.

Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).