Hide Message

Updating the Resource Centre Digital Platform

The Business & Human Rights Resource Centre is at a critical point in its development. Our digital platform is home to a wealth of information on business and human rights, but hasn’t had a visual refresh for a number of years.

We will soon be updating the site to improve its usability and better serve the thousands of people that use our site to support their work.

Please take an advance peek at our new look, and let us know what you think!

Thank you,
Alex Guy, Digital Officer

Find Out More Hide Message

You are being redirected to the story the piece of content is found in so you can read it in context. Please click the following link if you are not automatically redirected within a couple seconds:
en/hong-kong-seven-free-vpns-allegedly-leave-users-logs-and-personal-details-open-for-all-to-see-report-reveals#c212539

Hong Kong: Seven free VPNs allegedly leave users' logs and personal details open for all to see, report reveals

Author: VPNMentor, Published on: 20 July 2020

"Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See", 16 July 2020

A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security measures in an essential part of a cybersecurity product is not just shocking. It also shows a total disregard for standard VPN practices that put their users at risk.

The vpnMentor research team... uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies...

... we reached out to four of the VPNs and their developers, along with Hong Kong’s Computer Emergency Response Team (HKCERT) office, and, eventually, numerous tech journalists...

Mobipotato responded quickly but seemed unaware of the issues that come with an unsecured server – especially one that contains information they’re not supposed to be recording – and didn’t understand what “PIIs and its affections” are.

We sent two replies to the company twice but received no further communication.

... we attempted contact with numerous people at Dreamfii, the developers of UFO VPN, to no avail...

The journalists we enlisted to help us... eventually received some replies to their inquiries…

… we received the following response from the UFO VPN Team:

“… We do not collect and restore users’ home addresses. In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality...

‘clear text passwords’ are not the password for logging in their accounts… We name it “password” in feedback and store it in cleartext. But for user accounts and logging-in passwords, we have all of them encrypted when transferring and storing.”

However, based on our investigation, we concluded this statement was incorrect and replied with further evidence to back this up...

Read the full post here