Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an
estimated 500 million users around the world.
The service promises to "secure all online activities," hide users' IP addresses and their identities and protect them from tracking by
transferring their internet and browsing traffic through its encrypted
channel.However, an 'alleged' information disclosure vulnerability
discovered in Hotspot Shield results in the exposure of users data, like
the name of Wi-Fi network name (if connected), their real IP addresses,
which could reveal their location, and other sensitive information.
The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos
Yibelo, but he made details of the vulnerability to the public on Monday
after not receiving a response from the company.
According to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that
Hotspot Shield installs on the user's machine.
This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could
reveal sensitive information about the active VPN service, including its
configuration details.
Yibelo has also publicly released a proof-of-concept (PoC) exploit code—just a few lines of JavaScript code—that could allow an
unauthenticated, remote attacker to extract sensitive information and
configuration data.When comes to the issue of online privacy and
security, we suggest to use a VPN, and our recommendation is
RitaVPN.Qwer432
http://www.buyvpns.net/
http://www.buyvpnservices.com/
http://www.fastexpressvpn.com/