This week, researchers from Sapienza University of Rome and Queen Mary University of London published a study detailing security vulnerabilities among 14 popular VPN service providers. While normally these services are seen as a secure way to transfer data over a public network or get onto blocked websites, some of them can actually reveal your entire browsing history. This is due to what the researchers describe as "IPv6 traffic leakage" and "DNS hijacking."

Provider Countries Servers Technology DNS IPv6-leak DNS hijacking
Hide My Ass 62 641 OpenVPN, PPTP OpenDNS Y Y
IPVanish 51 135 OpenVPN Private Y Y
Astrill 49 163 OpenVPN, L2TP, PPTP Private Y N
ExpressVPN 45 71 OpenVPN, L2TP, PPTP Google DNS, Choopa Geo DNS Y Y
StrongVPN 19 354 OpenVPN, PPTP Private Y Y
PureVPN 18 131 OpenVPN, L2TP, PPTP OpenDNS, Google DNS, Others Y Y
TorGuard 17 19 OpenVPN Google DNS N Y
AirVPN 15 58 OpenVPN Private Y Y
Private Internet Access 10 18 OpenVPN, L2TP, PPTP Choopa Geo DNS N Y
VyprVPN 8 42 OpenVPN, L2TP, PPTP Private (VyprDNS) N Y
Tunnelbear 8 8 OpenVPN Google DNS Y Y
proXPN 4 20 OpenVPN, PPTP Google DNS Y Y
Mullvad 4 16 OpenVPN Private N Y
Hotspot Shield Elite 3 10 OpenVPN Google DNS Y Y

Out of the 14 VPN services covered by the study, 10 were vulnerable to IPv6 leaks and only one was safe from DNS hijacking. None of the VPN providers were secured against both IPv6 leaks and DNS hijacking.

The issues stem from the VPN providers manipulating the IPv4 routing table but ignoring the IPv6 table. Plus, the paper notes the VPN tunnel protocol PPTP, which is common among the VPN service providers, is particularly vulnerable.

To end the traffic leakage, the researchers suggest the providers ensure their IPv6 table captures all traffic. Additionally, a change should be made to the VPN tunnel protocol so it secures the DNS. Hopefully, the critiqued VPN providers will take notice of the research and swiftly address the security flaws.

Header Image: Shutterstock