No Comments

China’s free VPN service exposes data from over a million users

 

Updated Personal Identification Information (PII) of more than one million users of the free Chinese VPN service, Quickfox, are exposed on a server elasticsearch poorly configured, unencrypted and available on the shallow internet, no password.

According to WizCase, which revealed the case, data such as full name, original IP address, telephone number, list of other software installed on the user’s device, encrypted passwords with MD5 pattern and others are still exposed, even after the discovery of the company.

“No password or login credentials were required to view this information and the data was not encrypted. Based on exposed logs […] The breach could have affected at least a million Quickfox users. We contacted the company, but we have not received a response so far.“, write WizCase’s cybersecurity research team researchers.

In addition to the users’ personally identifiable information, internal platform data were also found. of VPN and although the passwords are encrypted by default MD5, the researchers explain that this is an archaic and insecure algorithm.

“While passwords were encrypted, MD5 is an archaic hashing technique that leaves users’ passwords vulnerable to modern password-cracking techniques“, they write.

Why does a VPN service collect this data?

In addition to the data exposure and the company’s inability to communicate with security researchers and resolve the issue, why a VPN service collects this user data is also unclear.

It is unclear why the VPN was collecting this data, as it is unnecessary for their process and not standard practice seen with other VPN services. We could not find Quickfox’s terms of use or privacy policy to confirm whether or not users were aware of the information Quickfox is extracting,” the researchers write.

Researchers explain that with access to this data, cybercriminals can sell or distribute this data in cybercriminal forums, in addition to carrying out various cybercriminal campaigns, such as phishing, fraud, scams and even taking control of the victim’s account.

Another piece of advice left by researchers is that free VPN services usually get money for maintain its operation in other ways that are not so transparent and even suspicious.

“Be sure to research a VPN service before using it. In general, if a VPN isn’t profiting through subscription services, the VPN is making money through other means, usually collecting your data. If you choose to use a free VPN, make sure you understand and feel comfortable with the information they collect.. Also, share only the information you need to operate the program,” the researchers conclude.


Source: WizCase, TheHack.

You might also like
News
News

More Similar Posts

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.