Well.. where to begin.
A collection of ‘Free’ VPN services left some servers completely open and accesible.
The lack of security for a Security Product is pretty insane.
A VPN that doesn’t protect your data? huh?
Tom Scott explains VPN’s.
Personally Identifiable Information data for potentially over 20 million VPN users.
Every one of the VPN’s mentioned below advertise their services as “No-Log” VPN’s (lol).
Which basicly means that they don’t record any of the users activity/logs.
This turned out to be false.
Not only is this false, everything I and other sources found where cleartext passwords, Ip adresses, home adresses, phone numbers etc.
Data Breach Summary
|Apps||UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN|
|Total size of data||1.207 TB|
|Total number of files||1,083,997,361 records|
|No. of people exposed||Over 20 million, based on user numbers claimed by the VPNs|
|Types of data exposed||Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links|
|Potential impact||Fraud, doxing, blackmail, extortion, viral attack, and hacking, arrest, and persecution|
|Data storage format||ElasticSearch Server|
Somehow it looks like it comes from the same developer, since all the VPN’s mentioned above share a common ES(ElasticSearch) Server.
They seem to have the same recipient for payments aswell (Dreamfii HK Limitied) and .. doesn’t their website look a bit.. similar?
It looks like it’s just rebranded but comes from the same entity.
The brands the VPNs are marketed under include:
- UFO VPN – “Super private & unlimited fast VPN for Android. Hide IP, unblock sites from 360.”
Google Play Store: Rating 4.5 stars, 10M+ downloads
Apple App Store: 4.8 stars
Developer: Dreamfii HK Limited, Hong Kong
- FAST VPN – “100% Free VPN for gaming: access websites, apps and mobile games unlimited”
Google Play Store: Rating 4.5 stars, 1M+ downloads
Apple App Store: Rating 4.6 stars
Developer: Mobipotato HK Limited, Hong Kong
- FREE VPN – “The best free VPN tunnel for android to unblock content. Feel the outer space!”
Google Play Store: Rating 4.5 stars, 100k+ downloads
Apple App Store: Rating 4.6 stars
Developer: Starxmobi HK Ltd, Hong Kong
- Super VPN – “Super VPN is the best unlimited VPN proxy for android.”
Google Play Store: 4.6 stars, 1M+ downloads
Apple App Store: 4.9 stars
Developer: Nownetmobi, Hong Kong
A screenshot from securitytrails.com showing the different domains hosted on a single IP address managed by the company that owns the VPN apps
It’s also funny to see that all of these sites/services advertise that they use “Military grade security”, which is a joke at this point.
Fast VPN’s ‘Strict Zero Logs’affirmation
UFO VPN’s security and confidentiality promise
The VPN’s exposed database and server most likely shared a common developer and owner.
The print of log data displayed below is a sample taken from the database. It show that the VPN apps writing user data to a unsecured server.
For example, in the snippet above, the package name “com.freevpn.fast.unlimited.proxy” appears in the URL for Free VPN’s Google Play app page (“https://play.google.com/store/apps/details?id=com.freevpn.fast.unlimited.proxy”).
The same package name is also connected to the VPN’s website URL “http://free-vpn.io/”.
Similarly, the package name “vpn.fastvpn.freevpn” appears in the URL for Free VPN’s Google Play page (“https://play.google.com/store/apps/details?id=vpn.fastvpn.freevpn”).
The website for this app is “https://www.fastvpn.im/”.
After downloading it to my phone, I used the app to connect to some servers. Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to.
New user registration logs for certain VPNs
Fast VPN new user registration log
Record of a user from Bangladesh changing their password – shows an old and new password
Logged Web Activity and Technical Details
It seems that the exposed database contains a lot of personal details about users and technical information about the devices
- Connection logs, traffic, and sites visited
- Origin IP addresses
- Internet Service Provider (ISP)
- Actual location
- Device type
- Device ID
- App version
- Phone models
- User network connection
The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server.
User from Tehran, Iran
Another user from Tehran, Iran
Connection log of user from Khartoum, Sudan
In some cases, illicit sites were accessed from countries where viewing such content is an illegal and punishable activity.
Iranian user accessing adult content via the VPN
Additional user web activity log
User Support Messages
Included in the leaking server were multiple messages from users to the VPNs’ customer service agents, particularly those complaining about the lack of support and fraudulent charges from the VPN company itself.
Payment Information Logs
Sensitive Paypal API links were logged alongside the full names, emails, and addresses of users using this payment method with the assumption that it will be more secure. Those using cryptocurrency are also recorded in logs that identify them by their email and other identifiers.
Paypal payment log of a user based in the USA
Cryptocurrency payment log of a user based in France
Personally Identifiable Information
There was no shortage of this data in this server leak. It included:
- Full names
- Users’ home or work addresses
- Users’ origin IP address as well as the IP address of the VPN server they connected to
- VPN account login credentials (email, username, password)
This log shows the full names for both the account holder and payer – two different individuals, who are representatives of a foreign embassy based in Turkmenistan.
Internal Data & Logs
The server was also being used to store internal data from some of the VPNs, including entries from their Customer Relationship Management (CRM) software, as well as all of the activity between the VPN app users and the company’s platform (including registration, speed tests, password changes, etc.)
While I can’t say for sure that someone didn’t grabbed all of this data already, it’s incredible funny how we see VPN’s in general as our basic security when it all come crumbeling down on us.
And I got a feeling that it’s already leaked:
Troy Hunt uploading a new entry to an already big database.
We all have bad security practices but when we entrust a company (a security company nontheless) with our data, we expect it to be secure and that they follow their own guidlines/rules. Like the ‘No Logs’ policy.
Stay safe and always question everything.