“No-log” VPN leaks millions of user data
With the spread of the coronavirus epidemic, social isolation and remote entertainment office have become the norm, and global users’ interest in VPNs has surged. Since the beginning of this year, the users and traffic of some commercial VPN providers have doubled. At the same time, VPN-related Security issues have become increasingly prominent. Some well-known VPN brands, such as ProtonVPN, NordVPN, and even the brands of well-known network security providers including Microsoft, McAfee, ESET, Kaspersky, and Symantec have also been used by criminals to trick users into downloading spyware, ransomware, and data theft software.
At the same time, a large number of VPN services are at risk of privacy leakage. “Not recording user log data” is the selling point of many VPN service providers, but many VPN services cannot really do this.
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
Most of this data is stored in easy-to-read plain text files, and the database is not protected or encrypted, and can be accessed without even a password. The number of affected accounts is unknown, but all UFO VPN users may be more or less at risk of data leakage. The database discovered so far exposes more than 20 million user logs every day
UFO VPN shares the same code base and settings with many other common Android VPN applications-some of which have been installed in more than one million. According to a report by the researcher, VPNs with a large number of users at risk of leakage include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.