Two Popular VPNs Exposed Users to Attacks Via Fake Updates

[silversurfer]

Content source

https://www.securityweek.com/two-popular-vpns-exposed-users-attacks-fake-updates

Researchers analyzed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that could be exploited to hack users’ devices.

VPNpro, a company that specializes in analyzing and comparing VPN services, analyzed the 20 most popular VPNs to see which of them allow attackers to intercept communications and push fake updates.

The analysis revealed that PrivateVPN and Betternet VPNs were vulnerable to these types of attacks. Both vendors were notified in mid-February and they have released patches that should prevent attacks.

“The most important part of the fix is that they don't accept unverified update files anymore. Since we were intercepting only update network requests, the issue no longer exists,” VPNpro told SecurityWeek.

The analysis revealed that PrivateVPN, Betternet, TorGuard and CyberGhost allowed an attacker to intercept the connection, and the VPN connected while being intercepted. However, only PrivateVPN and Betternet downloaded a fake update, and PrivateVPN even executed the update automatically. Betternet did not automatically execute the update, but prompted the user to update the app, which in many cases would also likely lead to execution of the fake update.

According to VPNpro, a man-in-the-middle (MitM) attacker could have intercepted the targeted user’s VPN connection and pushed a fake software update. In the most likely scenarios, the attacker convinces the victim to connect to a malicious Wi-Fi network in a public location, or they somehow gain access to the target’s router.

​

 

[CyberTech]

Don't download anything - not even VPN updates when using free public WiFi

Damn crazy!

 

[StarKenzie]

Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro discovered. If you were using one of them, your computer could have been completely hijacked with almost any kind of malware before you realized it.

The two VPN services, Betternet and PrivateVPN, have since fixed the flaws. But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.

 

[blacksheep]

I am not even surprised. All above VPN providers are under Pango and you should avoid them at all cost.

 

[Wolfware10]

I think not with all VPNs providers, maybe there only few with which they can do it.

 

[Vitali Ortzi]

Just Use hardened client software that supports wiresguard and basic features like Killswitch.
And most importantly a safe and reliable VPN provider !

 

[StarKenzie]

Just Use hardened client software that supports wiresguard and basic features like Killswitch.
And most importantly a safe and reliable VPN provider !

but aint killswitch for simply killing internet connection not to leak your real IP?

 

[Cortex]

A bad often cheap VPN is far, far worse than no VPN at all, by a long way esp if you have a decent ISP.

 

[Vitali Ortzi]

but aint killswitch for simply killing internet connection not to leak your real IP?

Yeah that's why I said basic features.

 

[blackice]

A bad often cheap VPN is far, far worse than no VPN at all, by a long way esp if you have a decent ISP.

Even if you have an ISP like Comcast in the USA. Their marketers may be deplorable, but their engineers and network managers are actually some of the best in the business and they have a vested interest in keeping their network secure. Privacy from advertising is another thing...but they are much more trustworthy and have more money to sue if they do get caught doing something shady.