Updated Personal Identification Information (PII) of more than one million users of the free Chinese VPN service, Quickfox, are exposed on a server elasticsearch poorly configured, unencrypted and available on the shallow internet, no password.
According to WizCase, which revealed the case, data such as full name, original IP address, telephone number, list of other software installed on the user’s device, encrypted passwords with MD5 pattern and others are still exposed, even after the discovery of the company.
“No password or login credentials were required to view this information and the data was not encrypted. Based on exposed logs […] The breach could have affected at least a million Quickfox users. We contacted the company, but we have not received a response so far.“, write WizCase’s cybersecurity research team researchers.
In addition to the users’ personally identifiable information, internal platform data were also found. of VPN and although the passwords are encrypted by default MD5, the researchers explain that this is an archaic and insecure algorithm.
“While passwords were encrypted, MD5 is an archaic hashing technique that leaves users’ passwords vulnerable to modern password-cracking techniques“, they write.
游戏加速告别卡顿,上分王者,海外回国就用QuickFox加速器!
当然不止这些:动漫 电视剧 爱豆综艺 最新大片 经典老剧
不仅解除地域限制
还有更多视频会员年卡等你拿
心动不如行动,快来体验吧!
下载链接:https://t.co/qYcldyYhfM#回国VPN #海外回国 #翻墙 pic.twitter.com/t9f5qQwoL9— QuickFox VPN (@QuickFoxVPN) October 12, 2020
Why does a VPN service collect this data?
In addition to the data exposure and the company’s inability to communicate with security researchers and resolve the issue, why a VPN service collects this user data is also unclear.
“It is unclear why the VPN was collecting this data, as it is unnecessary for their process and not standard practice seen with other VPN services. We could not find Quickfox’s terms of use or privacy policy to confirm whether or not users were aware of the information Quickfox is extracting,” the researchers write.
Researchers explain that with access to this data, cybercriminals can sell or distribute this data in cybercriminal forums, in addition to carrying out various cybercriminal campaigns, such as phishing, fraud, scams and even taking control of the victim’s account.
Another piece of advice left by researchers is that free VPN services usually get money for maintain its operation in other ways that are not so transparent and even suspicious.
“Be sure to research a VPN service before using it. In general, if a VPN isn’t profiting through subscription services, the VPN is making money through other means, usually collecting your data. If you choose to use a free VPN, make sure you understand and feel comfortable with the information they collect.. Also, share only the information you need to operate the program,” the researchers conclude.
