“Zero Logs” 20Million accounts leaked!

Well.. where to begin.

A collection of ‘Free’ VPN services left some servers completely open and accesible.
The lack of security for a Security Product is pretty insane.
A VPN that doesn’t protect your data? huh?
Recommendation: https://www.youtube.com/watch?v=WVDQEoe6ZWY
Tom Scott explains VPN’s.

Personally Identifiable Information data for potentially over 20 million VPN users.

Every one of the VPN’s mentioned below advertise their services as “No-Log” VPN’s (lol).
Which basicly means that they don’t record any of the users activity/logs.
This turned out to be false.

Not only is this false, everything I and other sources found where cleartext passwords, Ip adresses, home adresses, phone numbers etc.

The VPNs affected are UFO VPNFAST VPNFree VPNSuper VPNFlash VPN, Secure VPN, and Rabbit VPN

Data Breach Summary

AppsUFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN
Headquarters/LocationHong Kong
IndustryCybersecurity
Total size of data 1.207 TB
Total number of files1,083,997,361 records
No. of people exposedOver 20 million, based on user numbers claimed by the VPNs
Geographical scopeWorldwide
Types of data exposedActivity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links
Potential impactFraud, doxing, blackmail, extortion, viral attack, and hacking, arrest, and persecution
Data storage formatElasticSearch Server

Digging deeper…

Somehow it looks like it comes from the same developer, since all the VPN’s mentioned above share a common ES(ElasticSearch) Server.
They seem to have the same recipient for payments aswell (Dreamfii HK Limitied) and .. doesn’t their website look a bit.. similar?

It looks like it’s just rebranded but comes from the same entity.

The brands the VPNs are marketed under include:

  • UFO VPN – “Super private & unlimited fast VPN for Android. Hide IP, unblock sites from 360.”
    Google Play Store: Rating 4.5 stars, 10M+ downloads
    Apple App Store: 4.8 stars
    Developer: Dreamfii HK Limited, Hong Kong
  • FAST VPN – “100% Free VPN for gaming: access websites, apps and mobile games unlimited”
    Google Play Store: Rating 4.5 stars, 1M+ downloads
    Apple App Store: Rating 4.6 stars
    Developer: Mobipotato HK Limited, Hong Kong
  • FREE VPN – “The best free VPN tunnel for android to unblock content. Feel the outer space!”
    Google Play Store: Rating 4.5 stars, 100k+ downloads
    Apple App Store: Rating 4.6 stars
    Developer: Starxmobi HK Ltd, Hong Kong
  • Super VPN – “Super VPN is the best unlimited VPN proxy for android.”
    Google Play Store: 4.6 stars, 1M+ downloads
    Apple App Store: 4.9 stars
    Developer: Nownetmobi, Hong Kong

A screenshot from securitytrails.com showing the different domains hosted on a single IP address managed by the company that owns the VPN apps

It’s also funny to see that all of these sites/services advertise that they use “Military grade security”, which is a joke at this point.

Fast VPN’s ‘Strict Zero Logs’affirmation

UFO VPN’s security and confidentiality promise

Fast VPN’s Privacy Policy

The VPN’s exposed database and server most likely shared a common developer and owner.

The print of log data displayed below is a sample taken from the database. It show that the VPN apps writing user data to a unsecured server.

For example, in the snippet above, the package name com.freevpn.fast.unlimited.proxy” appears in the URL for Free VPN’s Google Play app page (“https://play.google.com/store/apps/details?id=com.freevpn.fast.unlimited.proxy”).

The same package name is also connected to the VPN’s website URL “http://free-vpn.io/”.

Similarly, the package name “vpn.fastvpn.freevpn” appears in the URL for Free VPN’s Google Play page (“https://play.google.com/store/apps/details?id=vpn.fastvpn.freevpn”).

The website for this app is “https://www.fastvpn.im/”.

Data Entries

After downloading it to my phone, I used the app to connect to some servers. Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to.

New user registration logs for certain VPNs 

Fast VPN new user registration log

Record of a user from Bangladesh changing their password – shows an old and new password

Logged Web Activity and Technical Details

It seems that the exposed database contains a lot of personal details about users and technical information about the devices

  • Connection logs, traffic, and sites visited
  • Origin IP addresses
  • Internet Service Provider (ISP)
  • Actual location
  • Device type
  • Device ID
  • App version
  • Phone models
  • User network connection

The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server.

User from Tehran, Iran

Another user from Tehran, Iran

Connection log of user from Khartoum, Sudan

In some cases, illicit sites were accessed from countries where viewing such content is an illegal and punishable activity.

Iranian user accessing adult content via the VPN

Additional user web activity log

User Support Messages

Included in the leaking server were multiple messages from users to the VPNs’ customer service agents, particularly those complaining about the lack of support and fraudulent charges from the VPN company itself.

Payment Information Logs

Sensitive Paypal API links were logged alongside the full names, emails, and addresses of users using this payment method with the assumption that it will be more secure. Those using cryptocurrency are also recorded in logs that identify them by their email and other identifiers.

Paypal payment log of a user based in the USA

Cryptocurrency payment log of a user based in France

Personally Identifiable Information

There was no shortage of this data in this server leak. It included:

  • Full names
  • Users’ home or work addresses
  • Users’ origin IP address as well as the IP address of the VPN server they connected to
  • VPN account login credentials (email, username, password)

This log shows the full names for both the account holder and payer – two different individuals, who are representatives of a foreign embassy based in Turkmenistan.

Internal Data & Logs

The server was also being used to store internal data from some of the VPNs, including entries from their Customer Relationship Management (CRM) software, as well as all of the activity between the VPN app users and the company’s platform (including registration, speed tests, password changes, etc.)

Summary

While I can’t say for sure that someone didn’t grabbed all of this data already, it’s incredible funny how we see VPN’s in general as our basic security when it all come crumbeling down on us.

And I got a feeling that it’s already leaked:
https://twitter.com/troyhunt/status/1284401324218445824
Troy Hunt uploading a new entry to an already big database.

We all have bad security practices but when we entrust a company (a security company nontheless) with our data, we expect it to be secure and that they follow their own guidlines/rules. Like the ‘No Logs’ policy.

Stay safe and always question everything.
/Carl

Linux bash script – mail when threshold increase of disk

Hi there!
Today at work I needed to use a script to send me a mail notification when the the disk was about to get full during an installation.

One could argue that I should’ve used some sort of bigger system like Nagios to get these messages, but in this scenario, this script that I wrote suits me better.

The script looks like this:

#!/bin/bash
CURRENT=$(df / | grep / | awk ‘{ print $5}’ | sed ‘s/%//g’)
THRESHOLD=75

if [ “$CURRENT” -gt “$THRESHOLD” ] ; then
mail -s ‘Disk Space Alert’ carl.skantz@carlskantz.se << EOF
Your root partition remaining free space is critically low. Used: $CURRENT%
EOF
fi

Where the “Current” variable looks at the disk and where “Threshold” is the percentage of disk being used.

For example in this script, when the disk is (-gt ‘greater than’) over the defined threshold it should use the command “mail” to send me a message of the current state.

Configure it the way you want it and change the email to your own.
Save it as whatever.sh then add it to crontab.

Easy huh? yeah.

/Skantz

Koppling av RJ45 (Notering för mig själv)

Kopplingen av en RJ45:a

Inkoppling av ledarna kan göras enligt två olika strukturer, där skillnaden är ordningen som ledarna placeras efter. De tekniska namnen på dessa strukturer är T568A och T568B där den sistnämnda är vanligast i Sverige. Vilken av strukturerna som väljs spelar ingen roll så länge kabeln får samma koppling i båda ändar.

Paren i en TP-kabel har varsin färg (orange, grön, blå och brun). Den ena ledaren är helfärgad och den andra är vit med ett streck av den aktuella färgen. Denna färgkodning används för att på ett enkelt sätt kunna särskilja de olika ledarna.

11-5_t568a 11-5_t568b

10/100 Mbps-koppling 1000 Mbps-koppling (gigabit)
Stift Namn Beskrivning Stift Namn Beskrivning
1 TX+ Sänd data + (par 2) 1 Data1 + Bidirectional data (par 1)
2 TX- Sänd data – (par 2) 2 Data1 – Bidirectional data (par 1)
3 RX+ Mottag data + (par 3) 3 Data2 + Bidirectional data (par 2)
4 Ej använd (par 1) 4 Data3 + Bidirectional data (par 3)
5 Ej använd (par 1) 5 Data3 – Bidirectional data (par 3)
6 RX- Mottag data – (par 3) 6 Data2 – Bidirectional data (par 2)
7 Ej använd (par 4) 7 Data4 + Bidirectional data (par 4)
8 Ej använd (par 4) 8 Data4 – Bidirectional data (par 4)