Flaws in 4 popular VPNs could’ve let hackers steal your data, researchers say

Researchers say four virtual private network services had security flaws that could’ve exposed users to online attacks. In a Wednesday release, industry research firm VPNpro said vulnerabilities in PrivateVPN and Betternet could’ve let hackers install malicious programs and ransomware in the form of a fake VPN software update. The researchers said they were also able to intercept communications when testing the security of VPNs CyberGhost and Hotspot Shield.

The vulnerabilities worked only on public Wi-Fi, and a hacker would’ve needed to be on the same network as yours to perform an attack, according to the firm. “Usually, the hacker can do this by duping you into connecting to a fake wifi hotspot, such as ‘Cofeeshop’ rather than the shop’s real wifi, ‘Coffeeshop,'” the company said in the release.

VPNs are routinely marketed as security solutions to protect against the potential risks of using public Wi-Fi.

Read more: The best VPN service for 2020

VPNpro said the vulnerabilities were disclosed to PrivateVPN and Betternet on Feb. 18, and have since been fixed by the two companies.

“Betternet and PrivateVPN were able to verify our issues and got to work immediately on a solution to the problem we presented. Both even sent us a version to test, which PrivateVPN rolled out on March 26. Betternet released their patched version on April 14,” VPNpro said in the report.

When attacking CyberGhost and Hotspot Shield, VPNpro researchers said, they were able to intercept the communications between the VPN program and the app’s backend infrastructure. In the case of Betternet and PrivateVPN, the researchers said they were able to go beyond just this, and were able to convince the VPN program to download a fake update in the form of the notorious WannaCry ransomware.

VPNpro didn’t say whether it had reached out to CyberGhost and Hotspot Shield. Neither those companies, nor PrivateVPN, responded to CNET’s request for comment. CyberGhost declined to comment.

When you’re on public Wi-Fi, the researchers said, you should use caution, verifying that you’re connecting to the correct network. You should also avoid downloading anything — including software updates to your own VPN — until you’re on a private connection, they said.

For more advice on VPNs, check out the best cheap VPN options for working from home, red flags to watch out for when choosing a VPN, and seven Android VPN apps to avoid because of their privacy sins.