Failure in Hotspot Shield can expose users' location

Status
Not open for further replies.

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,318
According to recent information, a failure in the Hotspot Shield identified as CVE-2018-6460 can expose the location of users of the popular free VPN software.

Many users use VPN solutions as an option to surf the web anonymously or to access certain sites and services with zone locking.

Failure in Hotspot Shield can expose users' location
Security researcher Paulos Yibelo recently discovered the crash, and since he did not get a response from AnchorFree, developer of Hotspot Shield, after notifying him, he decided to publicly disclose the flaw.

The CVE-2018-6460 vulnerability has not yet received a severity rating, but in its analysis Yibelo found that the software is brimming with bugs that leaked information and that it can be easily compromised.

If exploited, the failure can enable access to information such as the actual IP address of the user and thus facilitate their location.
Hotspot-Shield-logo-01.jpg


In a post publicado em seu blog, Yibelo says that Hotspot Shield runs its own Web server when connected to communicate with its own VPN client. This server uses the fixed IP address 127.0.0.1 and port 895. It also hosts JSONP endpoints that return different values and configuration data.

For example,“http://localhost:895/status.js” generates a JSON response that reveals the user is not connected to the VPN, what VPN is being used, their actual IP address, and other information. The researcher also provided a proof-of-concept for failure in the Hotspot Shield.

AnchorFree said it will release an update for the software later this week.

Source: Falha no Hotspot Shield pode expor a localização dos usuários
 
F

ForgottenSeer 58943

There is so much junk software in 2018 that it's ridiculously unbelievable lol

This is the worst part about all of this.. So much junk, so little care for programming. So much reliance on API's, libraries and Toolboxes rather than raw coding. I was just talking to a buddy about how many years ago there weren't patches. How you shipped a game was how everyone played it. In general, your code had to be tight and you had one chance to get it right.

So much is junk in the modern age and people seem to be totally reckless about all of it.
 
D

Deleted member 65228

Notice the title? "Failure in Manurespot Shield"

It's not a failure, it's a success. They didn't reply because it isn't a bug it's a feature! :love:

Manurespot Shield doesn't need to be bypassed anyway. I bet 90% of installations leads to uninstallation within the first 24 hours, so then the IP would be exposed during the time frame of uninstallation, trying to diagnose why the uninstallation failed, browsing for a new PC and then installing a real VPN
 
  • Like
Reactions: Faybert and frogboy
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top