A team of security researchers discovered vulnerable flaws with three VPN service providers that could compromise user privacy. The three service providers; HotSpot Shield, PureVPN, and Zenmate have millions of customers worldwide. One of the providers, PureVPN had previously been caught lying about not logging its customers traffic when it was reveiled that they had provided the FBI with logs that lead to the arrest of a man in a cyberstalking case.
The research team discovered after running a series of privacy tests that all three VPN services were leaking their user’s real IP address.
The exact issues in ZenMate and PureVPN were not disclosed because they have not been patched yet.
Three separate vulnerabilities were discovered:
CVE-2018-7879 Hijack all traffic: Allows remote hackers to potentially hijack and redirect victim web traffic to a malicious site.
CVE-2018-7878, DNS Leak: Exposes the users original IP address to the DNS server, allowing ISP’s to monitor and record user activities.
CVE-2018-7880 Real IP Address Leak: Allows hackers to track the users real location
Researchers believe that most other VPN services also suffer from similar issues.