Select Page

Don't Tread On My Site

“Zero Logs” VPN Company Exposes Millions Of User Logs

“Zero Logs” VPN Company Exposes Millions Of User Logs
Load WordPress Sites in as fast as 37ms!

“Zero Logs” VPN Company Exposes Millions Of User Logs

Tyler Durden

Sun, 07/19/2020 – 13:00

A Hong Kong-based UFO VPN – which claims a ‘zero logs’ policy, maintained a database without any password, exposing over 20 million user logs per day which consisted of 894 GB of data.

The logs reportedly included passwords, IP addresses, geographical location, connection timestamps, session tokens, device information and the OS used.

This is in stark contrast to UFO VPN’s stated privacy policy that “We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”

The exposure, discovered by Comparitech security‘s Bob Diachenko, was discovered after search engine Shodan.io indexed the server hosting the data. Diachenko discovered the exposed data four days later and notified UFO VPN. Two weeks later, he notified the hosting provider, and the next day – more than two weeks after UFO VPN was notified, the database was secured.

If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.

The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.

IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.

The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.

Email addresses could be used to target users with tailored phishing messages and scams. –Comparitech

The company told Comparitech in an email: “Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed,” adding “We don’t collect any information for registering.”

“In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.”

Comparitech disagrees, and believes that the exposed data was not anonymous.

UFO VPN says it has 20 million users, and claims to offer “bank grade protection” in addition to their “zero log” policy. It’s focus is unblocking content such as region-locked streaming service Netflix, as well as blocked apps and websites.


This post has been republished with permission from a publicly-available RSS feed found on Zero Hedge. The views expressed by the original author(s) do not necessarily reflect the opinions or views of The Libertarian Hub, its owners or administrators. Any images included in the original article belong to and are the sole responsibility of the original author/website. The Libertarian Hub makes no claims of ownership of any imported photos/images and shall not be held liable for any unintended copyright infringement. Submit a DCMA takedown request.

-> Click Here to Read the Original Article <-

About The Author

Tyler Durden

Zero Hedge's mission is to widen the scope of financial, economic and political information available to the professional investing public, to skeptically examine and, where necessary, attack the flaccid institution that financial journalism has become, to liberate oppressed knowledge, to provide analysis uninhibited by political constraint and to facilitate information's unending quest for freedom. Visit https://www.zerohedge.com

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.