Most VPN service providers claim they don't track their users or keep any logs. Unfortunately, this is not always true. So, recently, a specialist at Comparitech, Bob Diachenko, discovered a leak of user data collected by a VPN provider that allegedly did not keep logs.
It all started when Dyachenko noticed an unprotected Elasticsearch cluster on the network, where 894 GB of data belonging to the UFO VPN provider were stored. As it turned out, the following were carefully recorded in the logs: account passwords (by open test), secrets and tokens of VPN sessions, IP addresses of user devices and VPN servers to which they connected, connection timestamps, location information, data about the devices themselves and OS versions, as well as web domains from which advertising was introduced into the browsers of users of the free version of UFO VPN.
At the same time, the privacy policy of UFO VPN states that the service does not track user actions outside the company's website, and does not collect any data.
According to Comparitech, more than 20,000,000 new entries are added to UFO VPN logs every day. Dyachenko writes that as early as July 1, 2020, he warned the provider about a data leak, he never received a response. Only a few weeks later, the base still disappeared from sight and was no longer detected by Shodan when the specialist contacted the UFO VPN hoster.
VPNmentor specialists also discovered this leak. They report that the problem is not only affecting UFO VPN and its users, but six other VPN providers from Hong Kong: FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. All of these names seem to lead to the same organization that provides a kind of white-label base for VPN services. And, of course, all of these providers state that they do not keep any logs.
All of the providers listed worked with the same unsecured Elasticsearch cluster. In total, the researchers found about 1.2 TB of data in the public domain: 1,083,997,361 logs, many of which contain confidential information.
So, in the logs you can find information about visited websites, connection logs, people's names, email addresses and home addresses of users, clear text passwords, information about payments in Bitcoin and Paypal, messages to the support service, user device specifications, and information about accounts.
Paypal payment from a US user
VPNmentor researchers even created an account with one of the providers, after which they found it in the logs, as well as information about the email address, location, IP address, device and servers to which they connected.
New User Registration
Experts notified the providers about the problem and the need to remove the cluster from open access, and even reported the situation to HK-CERT, but no action was taken to immediately fix the incident.
Only now, a few weeks later, UFO VPN representatives released an official statement and announced that due to the coronavirus pandemic, they were unable to properly protect user data and did not notice in time that an error was made in the firewall configuration.
The provider also assures that the logs discovered by the experts were anonymous and were stored solely for the purpose of monitoring bandwidth, although some records could contain IP addresses, as well as tokens and account secrets. The provider insists that there were no clear text passwords in the logs, and experts mistook for passwords something else, for example, session tokens. In terms of email addresses, UFO VPN explains that sometimes users submit reviews containing email addresses, but less than one percent.
Comparitech and VPNmentor experts fundamentally disagree with the provider's position and write that the data found was definitely not anonymous. They recommend that all users change their passwords.
(c) xakep.ru
