This week, researchers from Sapienza University of Rome and Queen Mary University of London published a study detailing security vulnerabilities among 14 popular VPN service providers. While normally these services are seen as a secure way to transfer data over a public network or get onto blocked websites, some of them can actually reveal your entire browsing history. This is due to what the researchers describe as "IPv6 traffic leakage" and "DNS hijacking."
|Hide My Ass||62||641||OpenVPN, PPTP||OpenDNS||Y||Y|
|Astrill||49||163||OpenVPN, L2TP, PPTP||Private||Y||N|
|ExpressVPN||45||71||OpenVPN, L2TP, PPTP||Google DNS, Choopa Geo DNS||Y||Y|
|PureVPN||18||131||OpenVPN, L2TP, PPTP||OpenDNS, Google DNS, Others||Y||Y|
|Private Internet Access||10||18||OpenVPN, L2TP, PPTP||Choopa Geo DNS||N||Y|
|VyprVPN||8||42||OpenVPN, L2TP, PPTP||Private (VyprDNS)||N||Y|
|proXPN||4||20||OpenVPN, PPTP||Google DNS||Y||Y|
|Hotspot Shield Elite||3||10||OpenVPN||Google DNS||Y||Y|
Out of the 14 VPN services covered by the study, 10 were vulnerable to IPv6 leaks and only one was safe from DNS hijacking. None of the VPN providers were secured against both IPv6 leaks and DNS hijacking.
The issues stem from the VPN providers manipulating the IPv4 routing table but ignoring the IPv6 table. Plus, the paper notes the VPN tunnel protocol PPTP, which is common among the VPN service providers, is particularly vulnerable.
To end the traffic leakage, the researchers suggest the providers ensure their IPv6 table captures all traffic. Additionally, a change should be made to the VPN tunnel protocol so it secures the DNS. Hopefully, the critiqued VPN providers will take notice of the research and swiftly address the security flaws.
Header Image: Shutterstock