(Photo: iStock)
(Photo: iStock)

Your VPN service may be leaking private data to third parties

  • In any VPN network, a user’s computer may belong to him or her, but the exit node (remote server) belongs to the VPN provider that chooses the encryption algorithms and VPN protocols
  • US government’s CISA cautioned about VPN applications that were insecurely storing session cookies

NEW DELHI : If you believe that your virtual private network (VPN) is the Fort Knox of the online world that will keep your data safe and private, you may want to think again. Designed to secure connections between networks over the internet and keep a user’s online activities private, VPNs find favour among companies as well as individuals. However, not all VPN platforms are secure.

“A wrong VPN provider could eavesdrop on a user’s online activity and sensitive information, sell this information on the dark web to adverting agencies, or to intelligence agencies. Using a poorly secured VPN service can expose users to a lot more damage than using no VPN at all," cautions Ritesh Chopra, country manager, consumer business unit at security firm Symantec.

He has a point. In any VPN network, a user’s computer may belong to him or her, but the exit node (remote server) belongs to the VPN provider that chooses the encryption algorithms and VPN protocols. So the security of the server is up to the provider, explains Leonard Sim, head of pre-sales (APAC) at cybersecurity firm Kaspersky. He adds, “You have to trust your provider as much as you trust yourself. You need to know that the provider isn’t sniffing or modifying your traffic, that it doesn’t log everything, and that it uses reliable protocols and strong encryption."

This April, for instance, US government’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned about VPN applications that were insecurely storing session cookies.

The agency warned that if cybercriminals gain access to a VPN user’s endpoint and extracts the cookies, they can replay the session and bypass other authentication methods.

Nevertheless, the increase in the adoption of VPN—be it for privacy, bypassing ISPs or to gain access to online content available in other countries—has also given rise to a breed of counterfeit VPNs.

On the surface, these VPNs will seem genuine, but in reality they might be logging all user activity, with the intention to sell it to the highest bidders. “Although VPNs remain one of the most effective means of maintaining online privacy, there is a possibility that they too can be hacked, particularly if they are built using any vulnerable, open-source VPN libraries," cautions Venkat Krishnapur, vice-president of engineering and MD at cybersecurity firm McAfee India.

The VORACLE attack is one such example where vulnerability in the VPN protocol was exploited. Tech security researcher Ahamed Nafeez mimicked the attack that targeted VPN tunnels last year.

Krishnapur believes paid VPNs are a better bet as they include features equipped to stop password and data thefts, prevent IP-based tracking and have options to automatically disconnect a user-device from the internet until the VPN connection is restored, and prevent accidental exposure.

Experts believe users should be cautious of VPN services facing regular domain name system (DNS) leaks, connectivity issues and IP leaks as well as those that offer lower levels of encryption. Reading their licence agreement carefully before using them also helps.

Close