Unveiled Findings Show link Between Virtual Private Network Applications and Several Security Weaknesses
In a shocking revelation, cybersecurity experts from Arizona State University, Citizen Lab, and Bowdoin College have uncovered a series of vulnerabilities affecting over 700 million users across multiple VPN applications. The research uncovered three distinct families of VPN providers that share common ownership and dangerous security weaknesses.
At the heart of the issue lies the poor cryptographic practices of these VPN apps. The most critical vulnerability involves hard-coded symmetric encryption keys embedded directly within the application code. These keys, stored in files such as and encrypted using AES-192-ECB, are a goldmine for attackers with network access or reverse engineering tools.
The shared library containing these keys contains explicit references to various VPN package names, including Turbo VPN, VPN Proxy Master, Snap VPN, and others. This shared library implementation indicates coordinated development and deployment across the provider network.
The providers identified in the research include Innovative Connecting, Autumn Breeze, and Lemon Clove. These entities, collectively having over 700 million downloads, operate VPN apps that are part of clusters secretly run by the same company. This hidden common ownership and deceptive branding is a significant concern, as it allows for a lack of accountability and transparency.
The applications employ deprecated Shadowsocks configurations using the vulnerable rc4-md5 cipher suite, which lacks proper integrity checks and enables decryption oracle attacks. Attackers can use this to recover plaintext without needing integrity checks, posing a serious threat to user privacy and security.
Moreover, the VPN apps contain hard-coded Shadowsocks passwords, enabling attackers to decrypt all user traffic transmitted through their networks. The shared credential system allows unauthorized access to VPN services, enabling attackers to establish unauthorized tunnels using the extracted Shadowsocks parameters from any affected application. This design enables attackers to enumerate additional VPN servers by testing the extracted passwords against IP addresses within the same network ranges.
Furthermore, some VPNs use custom tunneling over standard ports (like port 53 for DNS) with dependencies susceptible to client-side blind attacks. This allows attackers to infer or manipulate VPN connections without decrypting traffic directly.
Weak source address validation on mobile devices also facilitates blind in/on-path attacks. Adversaries on the same network can infer active VPN connections or inject network packets, hijacking sessions despite tunnel encryption.
The identified security vulnerabilities and infection mechanisms of VPN apps like Turbo VPN, VPN Proxy Master, and Snap VPN stem from their shared ownership by a single entity and flawed security practices that severely compromise user privacy and security. Users trusting these VPN apps may have their sensitive data intercepted, decrypted, or manipulated, thereby totally undermining the confidentiality and integrity promised by VPNs.
In summary, the compromised VPN apps pose a significant risk to user privacy and security. Users are advised to avoid these apps and opt for trusted VPN services to protect their online activities.
Read also:
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
- International marketing firm We Are Social intensifies global strategy for gaming industry
- Server Hazards: Top 4 Pests Imperiling Your Data Center and Preventive Measures
