Critical vulnerabilities found in popular VPN apps

2 months ago 48
Home News
(Image credit: Shutterstock / Elaine333)

Researchers have found various flaws in popular VPN applications that may have exposed users to the hackers allowing them to install malicious updates and ransomware remotely. 

According to the experts, top VPN apps including PrivateVPN and Betternet were found to be able to download fake software updates forcing users to install malware, keyloggers, etc. eventually helping in stealing private data.

Other VPN applications like Torguard, CyberGhost, and Hotspot Shield were also found to be vulnerable and allowed the researchers to intercept the communication.

In an email to TechRadar Pro, Torguard alleges that VPNPro's article is misleading and will only scare the regular user.

"Our app is not vulnerable in any way, what they refer to hear is is a simple update to call to our update server, they can check this call yes (big deal) anyone can see this through a regular firewall, but they can't do anything with it, our app verifies every site/certificate it needs to connect with and has a whitelisted set of certs stored (hardcoded) into the app so it would never accept anything other than the real certs - this way nothing could ever tell you to do any different, its extremely misleading to the regular user, it makes out TorGuard VPN can be “Intercepted” which is complete nonsense", the email added.

Moving the VPN industry forward: a Q&A with NordVPNPopular VPN embraces no log policyWhat is OpenVPN? A closer look at this popular VPN encryption protocol

Both Betternet and PrivateVPN were informed in February 2020 following which the flaws have been patched, however, VPNpro states that, “rather than protect their users’ data, PrivateVPN and Betternet have instead overlooked a crucial security aspect that allows for malicious actors to steal that data or do even worse actions.”

Vulnerable VPNs

While PrivateVPN not only downloaded a fake software update, it installed the update without the letting know about it. Betternet, on the other hand, did download the fake app but it sent a notification to the user to update the desktop application.

Once installed, it would be a cakewalk for hackers to collect and steal personal data, process unauthorized payments, install ransomware on the device, or use the system of various illegal activities.

Other VPN apps like ExpressVPN, Surfshark, NordVPN, Tunnel Bear, IPVanish, PIA, Windscribe, Ivacy, HMA, VyprVPN, ProtonVPN, TurboVPN, PureVPN, and Hola VPN which were a part of this test were found to be safe and did not have this vulnerability. VPNpro states that the researchers were not able to intercept the connection made using these VPNs.

To ensure safety, the experts advise against downloading anything especially software updates while you’re connected to free or public WiFi and suggest to “be extra safe and not use public wifi at all, or make sure that the wifi you’re connecting to is actually from the cafe, airport, or whatever location. That’s one important step you can take, but it can be hard to verify the free wifi you’re using.”

The best VPN service 2020

Via: VPNPro

Read Entire Article