- Jan 8, 2017
- 1,320
According to recent information, a failure in the Hotspot Shield identified as CVE-2018-6460 can expose the location of users of the popular free VPN software.
Many users use VPN solutions as an option to surf the web anonymously or to access certain sites and services with zone locking.
Failure in Hotspot Shield can expose users' location
Security researcher Paulos Yibelo recently discovered the crash, and since he did not get a response from AnchorFree, developer of Hotspot Shield, after notifying him, he decided to publicly disclose the flaw.
The CVE-2018-6460 vulnerability has not yet received a severity rating, but in its analysis Yibelo found that the software is brimming with bugs that leaked information and that it can be easily compromised.
If exploited, the failure can enable access to information such as the actual IP address of the user and thus facilitate their location.
In a post publicado em seu blog, Yibelo says that Hotspot Shield runs its own Web server when connected to communicate with its own VPN client. This server uses the fixed IP address 127.0.0.1 and port 895. It also hosts JSONP endpoints that return different values and configuration data.
For example,“http://localhost:895/status.js” generates a JSON response that reveals the user is not connected to the VPN, what VPN is being used, their actual IP address, and other information. The researcher also provided a proof-of-concept for failure in the Hotspot Shield.
AnchorFree said it will release an update for the software later this week.
Source: Falha no Hotspot Shield pode expor a localização dos usuários
Many users use VPN solutions as an option to surf the web anonymously or to access certain sites and services with zone locking.
Failure in Hotspot Shield can expose users' location
Security researcher Paulos Yibelo recently discovered the crash, and since he did not get a response from AnchorFree, developer of Hotspot Shield, after notifying him, he decided to publicly disclose the flaw.
The CVE-2018-6460 vulnerability has not yet received a severity rating, but in its analysis Yibelo found that the software is brimming with bugs that leaked information and that it can be easily compromised.
If exploited, the failure can enable access to information such as the actual IP address of the user and thus facilitate their location.
In a post publicado em seu blog, Yibelo says that Hotspot Shield runs its own Web server when connected to communicate with its own VPN client. This server uses the fixed IP address 127.0.0.1 and port 895. It also hosts JSONP endpoints that return different values and configuration data.
For example,“http://localhost:895/status.js” generates a JSON response that reveals the user is not connected to the VPN, what VPN is being used, their actual IP address, and other information. The researcher also provided a proof-of-concept for failure in the Hotspot Shield.
AnchorFree said it will release an update for the software later this week.
Source: Falha no Hotspot Shield pode expor a localização dos usuários
