A group of researchers from Sapienza University of Rome and Queen Mary University of London have published a study detailing significant security flaws in 16 commercial VPN services.
The problems arise from the way these VPN services operate over dual-stack networks (those using both IPv4 and IPv6). Over half of the services were found to be open to partial (and sometimes full) IPv6 traffic leakage, with the potential to expose the user's browsing history—even on websites that only use IPv4 connectivity.
All the services save for one were also found to be vulnerable to DNS hijacking, which can also expose IPv4 network traffic. Equally worrying is the fact that roughly half of the services provide connectivity through the Point-to-Point Tunneling Protocol with MS-CHAPv2 authentication, a method which can be easily cracked via brute force.
VPN services have risen in popularity for a multitude of reasons—whether for security on a public hotspot, privacy concerns, or simply as a way to work around regional restrictions on content. This study shows that users should be careful, however, as it's very easy to unwittingly purchase VPN services done wrong.
Bruno Ferreira
