Security News > 2020 > July > Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet
2020-07-17 21:51

It all came to light this week after Comparitech's Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN. The silo contained streams of log entries as netizens connected to UFO's service: this information included what appeared to be account passwords in plain text, VPN session secrets and tokens, IP addresses of users' devices and the VPN servers they connected to, connection timestamps, location information, device characteristics and OS versions, and web domains from which ads were injected into the browsers of UFO's free-tier users.

A few days later, on July 5, the data silo was separately discovered by Noam Rotem's team at VPNmentor, and it became clear the security blunder went well beyond UFO. It appears seven Hong-Kong-based VPN providers - UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN - all share a common entity, which provides a white-labelled VPN service.

Finally, it's worth mentioning UFO's software is developed by Dreamfii HK Limited, which receives all the aforementioned VPN providers' sales transactions, and appears to ultimately control those VPN brands.

"In this case, the effects are even more widespread because of a common industry practice called white labeling, in which smaller VPN providers rebrand a larger service and piggy back on their network, infrastructure, and software. In this case, there seem to be at least seven VPN providers whose customer data was leaked, completely contrary to their marketing claims of 'no logging.'".

"The few providers that have undergone some sort of third-party audit are at best able to show a narrow point-in-time snapshot of some portion of their technology. It's well known in the industry that highly placed search-engine ad campaigns for VPN services routinely fetch upwards of seven figures. The average consumer is simply outmatched, and these companies prey on people's fears. It's a disgrace."


News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/17/ufo_vpn_database/