Crucial vulnerabilities in PrivateVPN and Betternet can allow hackers to push fake updates and install malicious programs or steal user data
Update May 7: We updated the article to include clarification on what it means when certain VPN apps allowed for “interception of communication” and “connection while being intercepted”, but didn’t accept the fake updates.
Our new research has discovered that vulnerabilities in the PC apps of two of the top 20 VPNs, PrivateVPN and Betternet, can allow hackers to intercept its communications and force the apps to download a fake update. The app may automatically apply the fake update, or send the user a notification to update the app.
This is a serious problem: with the ability to push users to install fake updates, the hacker can install any program on a user’s computer or do a variety of malicious things, including:
- stealing personal data and selling it on the black market
- making bank payments with the victim’s computer
- secretly mining for crypto
- adding the device to a botnet
- locking the computer with ransomware
- leaking the victim’s stolen pictures, videos, recordings and messages online
This may not present PrivateVPN and Betternet in the best light. After all, these are VPNs – important cybersecurity tools that are meant to keep users safe. This means that users are trusting these tools to provide them with more security, not less.
But rather than protect their users’ data, PrivateVPN and Betternet have instead overlooked a crucial security aspect that allows for malicious actors to steal that data or do even worse actions.
We informed PrivateVPN and Betternet of the vulnerabilities in February, and they have now fixed these issues.
- PrivateVPN downloaded our fake update and automatically executed it without needing the user’s approval
- Betternet downloaded the fake update but did not automatically execute the update. Instead, a notification is shown to the user to update the app (which the user will most likely do at one point or another)
About this research
In order to undertake this research, our team analyzed the Windows apps for the top 20 VPNs (based on our own rankings). Then, we performed the following series of checks to see if our fake update can be installed:
- Check if the VPN app can have its connection intercepted.
- If yes, check if the VPN app connects while it is being intercepted.
- If yes, check if it downloads our fake update.
- If yes, check if it automatically applies our fake update.
We placed the complete results of our analysis at the bottom of the article for all 20 VPNs.
What do “interception of communication” and “connected while being intercepted” mean?
Since publication, our research has caused a bit of discussion in the VPN community. In an email exchange, Alexandra Bideaua from CyberGhost requested that we clarify what we meant by “intercepting communications”, and Sebastian Schaub from Hide Me asked the same, while claiming that their app has a “validation process to ensure the authenticity of the communication channels”. We responded to those requests immediately, but to clarify:
If a VPN has a “Yes” for the question “Can we intercept the connection?”, this means that the VPN software had no additional certificate pinning or similar procedures in place that would prevent us from intercepting the communication with the update network requests. We were able to intercept the connection for 6 of the VPNs, while 14 had the proper certificate pinning in place.
In general, some readers mistakenly assumed that “intercepting communications” meant that we were intercepting the communications between the user and VPN server, but in reality our research is about updates and the client endpoints, and not about touching the VPN connection.
If a VPN has a “Yes” for the question “Did it connect while being intercepted?”, this means that the VPN software established a connection to VPN server while being on a malicious connection. If the answer is “No”, it didn’t connect. In our tests, 4 of the top 20 VPNs established this connection, while 16 of the VPNs did not connect.
However, because our POC was based on pushing a fake update through the app, and since those VPNs (CyberGhost, Hotspot Shield, Hide Me and TorGuard) didn’t accept it, we didn’t consider this as a vulnerability.
What this vulnerability means for you
Imagine you’re sitting in a cafe or at the airport and connect to the free wifi. Because you’re carefully following the best practices according to most VPN providers, you make sure to connect to a VPN before going online.
Then, you get a notification on your VPN tool to install a recent update. Of course, you do, because it’s important to keep your software up-to-date (another best practice). And then, boom: your screen glitches, goes black, and you get this delightful message:
You’ve just been hacked.
Your personal files have been locked and you can’t get them back without paying the hacker’s ransom.
So what happened?
Don’t worry – it’s not your fault. You followed the best practices and acted in a safe, responsible manner. What happened is that your trusted VPN tool unfortunately did not act in a safe, responsible manner.
What happened – if you’d been using Betternet or PrivateVPN – is that the hacker was able to intercept the communications between the VPN program on your computer and the app’s backend infrastructure.
In order for hackers to carry out the attack, they’ll need one of two things. In the first option, the hacker would need to be on the same network as yours. Usually, the hacker can do this by duping you into connecting to a fake wifi hotspot (such as “Cofeeshop”) rather than the shop’s real wifi (“Coffeeshop”).
Alternatively, the hacker would have to have access to your router, and then you should be using the DNS server from the router’s DHCP service.
Once the hacker intercepted the communications, he or she is able to convince your VPN tool to download a fake update, which in our example above was this WannaCry ransomware tool.
Unfortunately, it’s not limited to just ransomware. With this vulnerability, hackers can do a lot of bad things, including:
- steal all kinds of sensitive info: the attacker can steal all your cookies, passwords, and sensitive files, including your banking details, PayPal cookies, and crypto wallets, and upload it to the hacker’s server
- make bank payments with the victim’s computer: using the above details, the attacker can use various types of malware, such as hVNC (hidden virtual network computing), where an attacker can use the victim’s desktop without their knowledge. Using the victim’s bank logins, the attacker can access the victim’s PC and use their banks, PayPal, or other financial tools to make payments
- use your computer for crypto mining: the attacker can use the victim’s computer to mine for crypto in a process known as cryptojacking. This works in the background, and all you’ll notice is that your computer is getting slower and slower
- add your computer to their botnet: the attacker can add the victim’s computer to its botnet for various reasons, such as DDoS attacks, similar to what happened in the 2016 Dyn cyberattack that caused major Internet platforms and services like Amazon, Facebook, Airbnb, CNN, etc. to be unavailable to large swathes of users in Europe and North America
- sell your data on the black market: although not the most common use, the attacker can sell all this data on the black market
- leak all your sensitive pictures, videos, recordings or messages: while this is not the most common case, the hacker can leak sensitive files to the public, such as for revenge
We notified Betternet and PrivateVPN on February 18.
Betternet and PrivateVPN were able to verify our issues and got to work immediately on a solution to the problem we presented. Both even sent us a version to test, which PrivateVPN rolled out on March 26. Betternet released their patched version on April 14.
How to protect yourself
Unfortunately, there isn’t much you can do when the very app you’re using has such a vulnerability.
For the most part, you can be extra safe and not use public wifi at all, or make sure that the wifi you’re connecting to is actually from the cafe, airport, or whatever location. That’s one important step you can take, but it can be hard to verify the free wifi you’re using.
For that reason, it’s best that you
- don’t download anything, including updates, on untrusted or free public wifi
- make sure you have an effective antivirus program installed, such as ESET, which can help notify you of malicious software on your device, and even help stop the software from installing
List of all VPNs analyzed
|VPN Name||Can we intercept the connection?||Did it connect while being intercepted?||Did it download our fake update?||Did it automatically execute our update?||Can it be done without our cert?||Can it be spoofed with a redirect to our exe?|
|CyberGhost||Yes||Yes||No update call was present||–||–||–|
|Hotspot Shield||Yes||No||No update call was present||–||–||–|
Check out our other research: