Hide Message

Updating the Resource Centre Digital Platform

The Business & Human Rights Resource Centre is at a critical point in its development. Our digital platform is home to a wealth of information on business and human rights, but hasn’t had a visual refresh for a number of years.

We will soon be updating the site to improve its usability and better serve the thousands of people that use our site to support their work.

Please take an advance peek at our new look, and let us know what you think!

Thank you,
Alex Guy, Digital Officer

Find Out More Hide Message

Hong Kong: Seven free VPNs allegedly leave users' logs and personal details open for all to see, report reveals

Get RSS feed of these results

All components of this story

20 July 2020

Hong Kong: Server shared by several VPNs accused of being "completely open and accessible" and exposing private user data

Author: The Sydney Morning Herald

“Data breach of free VPN providers exposes details of millions of users”, 20 July 2020

… vpnMentor cybersecurity researchers claim they found an unsecured server shared by several VPNs, software designed to protect users, and say it could potentially affect more than 20 million users.

In a report provided to Nine News, the researchers say the server was "completely open and accessible, exposing private user data for everyone to see".

It claims the affected apps include UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN.

Lead researcher Noam Rotem said his team found entries within the exposed database that contained personal details about users, such as email addresses, home addresses, clear text passwords, IP addresses and other identifying information…

It appears the apps on the exposed server share a common Hong Kong-based owner and developer.

Spokespeople for UFO VPN and Fast VPN issued nearly identical statements in response to questions about the breach: "Due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed".

The companies also claimed they didn't collect all the types of data that the researchers say they found.

Mobipotato – the company representing FastVPN – confirmed the server was at risk from June 29 to July 13.

The other companies did not respond to requests for comment, and the contact email provided for RabbitVPN bounced back…

Read the full post here

20 July 2020

Hong Kong: Seven free VPNs allegedly leave users' logs and personal details open for all to see, report reveals

Author: VPNMentor

"Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See", 16 July 2020

A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security measures in an essential part of a cybersecurity product is not just shocking. It also shows a total disregard for standard VPN practices that put their users at risk.

The vpnMentor research team... uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies...

... we reached out to four of the VPNs and their developers, along with Hong Kong’s Computer Emergency Response Team (HKCERT) office, and, eventually, numerous tech journalists...

Mobipotato responded quickly but seemed unaware of the issues that come with an unsecured server – especially one that contains information they’re not supposed to be recording – and didn’t understand what “PIIs and its affections” are.

We sent two replies to the company twice but received no further communication.

... we attempted contact with numerous people at Dreamfii, the developers of UFO VPN, to no avail...

The journalists we enlisted to help us... eventually received some replies to their inquiries…

… we received the following response from the UFO VPN Team:

“… We do not collect and restore users’ home addresses. In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality...

‘clear text passwords’ are not the password for logging in their accounts… We name it “password” in feedback and store it in cleartext. But for user accounts and logging-in passwords, we have all of them encrypted when transferring and storing.”

However, based on our investigation, we concluded this statement was incorrect and replied with further evidence to back this up...

Read the full post here