29. October 2020

Are VPN Apps really secure?

A report questions the security practices of 7 providers and shows that their VPN services log user data despite assertions to the contrary.

1.2 terabytes of private user data was, until recently, freely accessible on a shared server of 7 VPN providers. Despite the claim that the services do not keep any logs of their users’ online activities. Among the data found on the server was the personal information (PII) of potentially up to 20 million VPN users, vpnMentor researchers said, who discovered the leak.

In addition to the personal data, such as users’ email and home addresses, unencrypted passwords and IP addresses, several instances of connection logs were stored on the server. This casts strong doubts on the providers’ claims that they do not store any logs of user behavior.

The providers UFO-VPN, FAST-VPN, FREE VPN, SUPER VPN, Flash VPN, SECURE VPN and Rabbit VPN are involved in the incident.

The report suggests that all of these Hong Kong-based services use a white label solution. This means that they are using a developer’s app that is used by other companies under different names and brands. This assumption is based on the fact that the services use the same Elasticsearch server, are hosted on the same assets, and specify the same payee for payments.

Tests showed how much was logged

The security researchers carried out a series of tests with the UFO VPN service. After downloading and installing the mobile app, they connected to servers around the world. As they found out, these activities were recorded in the openly accessible database. This included their personal data (e-mail address, IP address, device info and the server they were connected to. This confirmed the suspicion. They also discovered that the database logged their username and password that was used to create the account.

The database even contained technical data about the devices the apps ran on: the users’ IP addresses, their Internet service provider, the actual location, the device model, the type and ID, and the user’s network connection. “The VPN server to which a connection was made was also disclosed, including its region and IP address. This makes the VPN service in question virtually unusable, as the user’s source IP address can be associated with his activity on the destination server,” vpnMentor explained.

In short, the data stored by the VPN services, despite statements to the contrary, can lead to many problems for users. After all, the main reasons for using VPNs are additional security and privacy, for example when accessing content that is illegal in one’s own country, in order to circumvent location restrictions or to protect oneself as a political activist. Depending on which malicious actor gets their hands on the data, VPN users could become victims of phishing campaigns or online fraud, or even be blackmailed, arrested and prosecuted.

While adhering to the guidelines for responsible disclosure, the researchers informed VPN providers of the vulnerability on July 5 and the Hong Kong Computer Emergency Response Team (HK CERT) on July 8. The server was closed on July 15.

Due to the leak and the privacy issues, users of the seven VPN providers should definitely consider switching to another service. If they have used the same credentials in other online accounts, they should definitely change them. Despite the alarming way in which the providers deal with the security and privacy of their users, one should not avoid using a VPN. However, this report shows that you need to choose your VPN provider carefully.