- A free Chrome extension was misusing CyberGhost's free servers
- BiuBiu VPN was stealing CyberGhost's resources to host its app
- CyberGhost confirmed that no user data had been compromised
A free VPN Chrome extension with 20 million users has been caught abusing CyberGhost's resources.
TechRadar's Lead Security Reviewer, Mike Williams, found that the Chrome extension named "BiuBiu VPN – The Website Unblocker" was stealing CyberGhost's free servers to host its application.
CyberGhost told TechRadar that the extension had been abusing its legacy service which was designed to provide people with a free, public-facing proxy service. A CyberGhost spokesperson confirmed no user data was accessed, stating: "No existing CyberGhost users (or their accounts) were impacted or compromised in any way."
How BiuBiu VPN stole CyberGhost's servers
Williams spotted anomalies with the BiuBiu VPN app while researching the security of some Chrome extensions.
He then decided to look at the app more closely. After performing network analysis and analyzing the extension's source code, he found that it was covertly connecting the user to CyberGhost's servers.
Williams said: "This isn’t a direct threat to users; the extension worked as advertised. But there is the potential for fraud."
CyberGhost later told TechRadar that the incident involved the misuse of servers linked to its legacy free service.
The company said that it was unfortunate that some individuals and organizations had "taken advantage" of the free product, adding that its security team is now "actively engaged" in taking down the extension.
CyberGhost's engineers are working on migrating the free proxy service to a more robust and abuse-resistant platform to ensure more bandwidth remains available for legitimate users. "The new setup will remain free and private for legitimate users but will require registration to prevent misuse," CyberGhost said.
BiuBiu VPN's response
In response to our questions, a spokesperson for PreppHint – the developer behind the VPN extension – told TechRadar that it would immediately discontinue the app.
"We have made the decision to permanently discontinue the BiuBiu VPN extension. It has been unpublished from the Chrome Web Store effective immediately," the developer said.
BiuBiu VPN isn't the first to take advantage of free VPN resources. Last year, another free Android VPN app with over 1 million downloads – JetVPN – was found to be using stolen free servers owned by Windscribe and Private Internet Access.
Like BiuBiU, JetVPN was quick to remove its application from the Web Store, despite saying that the company "never engaged in any intentional or unauthorized use" of third-party infrastructure.
The wider risk of free VPN apps
The risks of using free VPN apps are quickly becoming well-known.
"When you install one, you have no idea which servers are handling your connections," Williams said. "CyberGhost’s VPN servers are a safe choice, but it could just as easily have used some traffic logging Chinese servers."
Not all free VPN apps are malicious but running a virtual private network (VPN) infrastructure costs money. This means there may an incentive for developers to monetize your data with tracking technology and intrusive ads, while others opt steal reputable VPN providers' resources instead of building their own.
If you are looking for a secure VPN app but you don't want to invest in a subscription, check our page for the best free VPN apps available. These services make money by selling premium subscriptions rather than by misusing your data. Be warned, though, they all come with some limitations.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.