The internet isn’t exactly the safest place. Neither is hiding behind a virtual private network or VPN a foolproof way of steering clear of malicious software. As evidence to that, researchers from VPNpro found flaws in two well-known services: Betternet and PrivateVPN.
According to the results, they could intercept the connections of the two. They could then force the VPNs’ PC apps to download a fake update, which may contain malware if they wanted to. Afterward, these apps will either automatically install the update or notify the user.
If cybercriminals manage to insert their malware in that manner, users could face a number of serious risks. That includes having their personal data stolen and sold and getting their computers locked with ransomware. Besides that, hackers could use their victims’ computers for cryptojacking or online transactions using their banking info to make payments.
Also, the researchers were able to intercept the communications of CyberGhost, Hide.me, Hotspot Shield, and Torguard. Despite that, they didn’t consider these as having vulnerabilities because none of them accepted the update.
VPN Vulnerabilities Comparison Chart
One of the two VPNs found to have vulnerabilities.
Summing up the events regarding Betternet, its communication was intercepted and its app downloaded the researchers’ fake update. It didn’t install it, though. Rather, it only notified the user about it.
Betternet rolled out a patch to fix the issues on April 14.
The other VPN found to have a security flaw.
The case of PrivateVPN is similar to Betternet. However, instead of notifying the user about the fake update, it automatically installed it. In other words, it’s more serious. As mentioned earlier, if the malicious program were installed on a PC, the user is at risk of having their private information stolen, among other things.
PrivateVPN released an update to resolve the issues on March 26.
ExpressVPN and NordVPN are among the VPNs that didn’t have the vulnerability.
To reiterate, the researchers tested 20 VPNs, two of which were found with flaws, namely Betternet and PrivateVPN. They also found that they could intercept the connection of four others but didn’t consider them to have any vulnerabilities. In short, 18 of them were regarded as safe, including CyberGhost, Hide.me, Hotspot Shield, and Torguard. And out of the 18, 14 of them didn’t allow their communications to be intercepted. The list is as follows:
- Private Internet Access
- Turbo VPN
Don’t take online safety for granted just because you have a VPN.
To sum things up, Betternet and PrivateVPN were found to have vulnerabilities but have since ironed the kinks out. Meanwhile, communications of CyberGhost, Hide.me, Hotspot Shield, and Torguard were intercepted, but ultimately, they don’t have vulnerabilities. Last but not least, VPNs such as ExpressVPN and NordVPN were found to be safe.
At any rate, this illustrates how we can’t be too careful online, even when we’re using a VPN. But really, the takeaway here is, don’t download updates on public Wi-Fi or other insecure networks.