Yibelo has also publicly released a proof-of-concept (PoC) exploit code-just a few lines of JavaScript code-that could allow an unauthenticated, remote attacker to extract sensitive information and configuration data. The software is included in Security Tools. A closer look into the company website shows this is the only product in its portfolio. VPN Shield is a Polish-based VPN service created by Defendemus in 2012. The following versions: 2.3, 2.2 and 2.0 are the most frequently downloaded ones by the program users. Kennedy Otieno Updated on 6th May 2022 Cybersecurity Researcher. We cannot confirm if there is a free download of this app available.
#Vpn shield for mac#
"User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine," the vulnerability description reads. VPN Shield 2.19 for Mac was available to download from the developers website when we last checked. There are other multiple endpoints that return sensitive data including configuration details," Yibelo claims.
" generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could reveal sensitive information about the active VPN service, including its configuration details.
The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos Yibelo, but he made details of the vulnerability to the public on Monday after not receiving a response from the company.Īccording to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that Hotspot Shield installs on the user's machine. However, an 'alleged' information disclosure vulnerability discovered in Hotspot Shield results in the exposure of users data, like the name of Wi-Fi network name (if connected), their real IP addresses, which could reveal their location, and other sensitive information.