Darknet Security

A lot of Darknet users use VPN services to connect to tor. This article is will show why that is a very bad idea.

A number of “zero logging” VPN providers have breached customer trust after more than one terabyte of user activity logs were found on their servers unprotected and facing the public internet.

Earlier this week Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

The data, included clear-text passwords, personal information, and lists of websites visited, all open for anyone in the world to see.

Streams of log entries of netizens connecting to UFO’s service were all open. Information included what appeared to be plain text account passwords, VPN session tokens and secrets, connection timestamps, IP addresses of VPN users’ devices and servers they connected to, location information, device fingerprints and OS versions, and web domains that served ads to UFO’s free-tier users.

At least 20 million entries were added to the logs everyday, UFO VPN boasts on its website that it has 20 million users. Bob Diachenko alerted the provider about the leaking information on July 1, the day he found the data, and UFO VPN has not responded.

The issues get worse as a few days later, on July 5, 2020. Noam Rotem’s team at VPNmentor discovered the data breach and it appears to affect seven Hong-Kong-based VPN providers Namely: Super VPN, UFO VPN, FAST VPN, Rabbit VPN,Free VPN, Flash VPN and Secure VPN. These providers all share a common organization, which provides a white-labelled VPN service.

In its privacy policy UFO VPN says in bold: “We do not track user activities outside of our site, nor do we track the website browsing or connection activities of users who are using our Services.” From this it is clear that they were logging information on user activities and anyone in the world could easily find it.

These seven providers used an Elasticsearch cluster and they all leaked information from that common cluster. As much as 1.2 TB of data was open to the public totaling 1,083,997,361 log entries that included passwords and a lot of sensitive information.

When examined it was discovered that logs of websites, Bitcoin and Paypal payment information, people’s names, connection logs, subscribers email and home addresses, plain-text passwords, messages to support desks, account information and device specifications.

According to Rotem “Each of these VPNs claims that their services are ‘no-log’ VPNs, which means that they don’t record any user activity on their respective apps, … However, we found multiple instances of internet activity logs on their shared server. This was in addition to the personally identifiable information, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.”

To verify if the data was truly being leaked Rotem and his team created an account with one of the providers and connected through it, and it was discovered that the new account activity entered the logs with IP address, device information, email address and the servers connected to. Rotem and the VPN mentor team notified the providers involved in the leak and no action was taken.

Diachenko,warned UFO VPN’s hosting provider about the leak, and the next day, it all disappeared, but it was too late as some it was already on shodan.io for 18 days.

Screenshot of Shodan

In a press release UFO VPN, blamed the COVID-19 pandemic for preventing users from securing the database, claiming that logs were only kept for traffic performance analysis and that they were anonymized. But that is not true as IP addresses, account tokens,passwords and much more critical information was available to the public.

UFO VPN also said that less than 1% of user data was compromised, saying: “some feedback sent by users themselves contain email addresses, however, the number is very small, less than one per cent of our users.”

However Comparitech and VPNmentor dispute this, with the VPNmentor saying UFO’s statement was “incorrect” saying: “Based on some sample data, we do not believe this data to be anonymous,” Comparitech’s Paul Bischoff also said. “We recommend UFO VPN users change their passwords immediately, and the same goes for any other accounts that share the same password.”

UFO VPN’s software is developed by Dreamfii HK Limited, who control those VPN brands and take payments on their behalf.

Kenneth White, a security researcher was scathing in his assessment of the situation and warned users not to trust the claims of VPN providers. “It’s disappointing but honestly not terribly surprising to see yet another breach from a popular commercial VPN service,” Kenneth White said.

“In this case, the effects are even more widespread because of a common industry practice called white labeling, in which smaller VPN providers rebrand a larger service and piggy back on their network, infrastructure, and software. In this case, there seem to be at least seven VPN providers whose customer data was leaked, completely contrary to their marketing claims of ‘no logging.'”

“The vast majority of companies that operate these services use patently false marketing, have very murky corporate provenance, and in some cases are literally run by convicted financial crime felons, so of course they will claim ‘strong privacy and security’ protections when in fact they offer neither,”

“The few providers that have undergone some sort of third-party audit are at best able to show a narrow point-in-time snapshot of some portion of their technology. It’s well known in the industry that highly placed search-engine ad campaigns for VPN services routinely fetch upwards of seven figures. The average consumer is simply outmatched, and these companies prey on people’s fears. It’s a disgrace.”

Darknet Advice

Final Advice to Darknet Users

With such a revelation coming to light, it is important that darknet users accessing markets and other websites through tor should not use VPN providers as it leaves them at the mercy of the VPN networks and with no audit, it makes it even harder to trust VPN providers claims.

Source: The Register

Disclaimer: We are not responsible for anything you do on the Darknet and you must be aware that using the darknet comes with risks. This website will be your number one source for news and information on the darknet.