Flaws in 4 popular VPNs could've let hackers steal your data, researchers say

But two of the VPN services push back against the findings.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
4 min read

Researchers say four virtual private network services had security flaws that could've exposed users to online attacks. In a statement Wednesday, industry research firm VPNpro said vulnerabilities in PrivateVPN and Betternet could've let hackers install malicious programs and ransomware in the form of a fake VPN software update. The researchers said they were also able to intercept communications when testing the security of VPNs CyberGhost and Hotspot Shield. 

The vulnerabilities worked only on public Wi-Fi , and a hacker would've needed to be on the same network as yours to perform an attack, according to the firm. "Usually, the hacker can do this by duping you into connecting to a fake Wi-Fi hotspot, such as 'Cofeeshop' rather than the shop's real Wi-Fi, 'Coffeeshop,'" the company said in the release. 

VPNs are routinely marketed as security solutions to protect against the potential risks of using public Wi-Fi.  

VPNpro said the vulnerabilities were disclosed to PrivateVPN and Betternet on Feb. 18, and have since been fixed by the two companies. 

"Betternet and PrivateVPN were able to verify our issues and got to work immediately on a solution to the problem we presented. Both even sent us a version to test, which PrivateVPN rolled out on March 26," VPNpro said in the report. "Betternet released their patched version on April 14."

Read more: The best VPN service for 2020

When attacking CyberGhost and Hotspot Shield, VPNpro researchers said, they were able to intercept the communications between the VPN program and the app's backend infrastructure. In the case of Betternet and PrivateVPN, the researchers said they were able to go beyond just this, and were able to convince the VPN program to download a fake update in the form of the notorious WannaCry ransomware.

Betternet and PrivateVPN didn't respond to CNET's requests for comment. VPNpro didn't say whether it had reached out to CyberGhost and Hotspot Shield, but CyberGhost told CNET that VPNpro hadn't. 

Contacted for comment on the research, CyberGhost spokesperson Alexandra Bideaua said the release put out by VPNpro "can't be labeled as valid research." Bideaua said the report lacks proper methodology and doesn't explain how the attacks were carried out or clarify the meaning given to broad concepts like "intercept a connection." 

"This is similar to saying a mailman can be seen carrying his bag in the streets," Bideaua said. "Betting on fearmongering, VPNpro is trying to imply there is a danger in having your encrypted communication intercepted. But the 256-bit encryption we use is impossible to crack. Such an attempt would require extreme computational power and some million years to succeed. We also use secure app updating procedures that can't be interfered with by third parties.

"VPNpro didn't contact us with their apparent findings before sending their report to the press and didn't respond to our requests for clarifications," Bideaua said. "As a result, we are now considering legal action against it."

Hotspot Shield similarly expressed doubts about the research results in its response to CNET.

"It is not possible to decrypt communications between our clients and our backend solely via a rogue WiFi or takeover of the router. The only way this can be accomplished is by also breaking military-grade, 256-bit encryption or putting a malicious root certificate on the user's computer," a spokesperson for Hotspot Shield said. 

"If either of these things happened, then most network communications would be compromised -- including all web browsing -- banking websites, et cetera."

Hotspot Shield also uses a proprietary VPN protocol called Hydra that, the company said, implements an advanced security technique called certificate pinning, so even a malicious root certificate wouldn't affect its clients.

VPNpro updated its research following the publication of this story, aiming to address what it called misinterpretations of its methodology. 

"If a VPN had a 'Yes' for the question 'Can we intercept the connection?', this means that the VPN software had no additional certificate pinning or similar procedures in place that would prevent VPNpro tests from intercepting the communication with the update network requests," a VPNpro spokesperson said in an email. "VPNpro was able to intercept the connection for 6 of the VPNs, while 14 had the proper certificate pinning in place. 

"Some mistakenly assumed that 'intercepting communications' meant that VPNpro intercepted the communications between the user and VPN server, but in reality, VPNpro research is about updates and the client endpoints, and not about touching the VPN connection."

Along with a move toward more transparent methodology, VPNpro appeared to scale back its assessment of the reported vulnerabilities. 

Read more: Best iPhone VPNs of 2020  

"Because our proof of concept was based on pushing a fake update through the app, and since [CyberGhost and Hotspot Shield] didn't accept it, VPNpro didn't consider this as a vulnerability. Only 2 VPNs tested by VPNpro, PrivateVPN and Betternet, were considered to have vulnerabilities and both had the issue fixed, as stated within the research," VPNpro said.

"If there were any vulnerabilities detected in [CyberGhost and Hotspot Shield], VPNpro team would have for sure contacted all providers about them first, as we have very strict rules in place regarding these matters."

When you're on public Wi-Fi, the VPNpro researchers said, you should use caution, verifying that you're connecting to the correct network. You should also avoid downloading anything -- including software updates to your own VPN -- until you're on a private connection, they said.

For more advice on VPNs, check out the best cheap VPN options for working from home, red flags to watch out for when choosing a VPN and seven Android VPN apps to avoid because of their privacy sins.

Watch this: Top 5 Reasons to Use a VPN

Originally published May 6, 12 a.m. PT.
Updates, 1:40 p.m.:
 Includes response from CyberGhost; May 7: Adds response from Hotspot Shield; May 15: Includes additional response from VPNpro.