Popular VPNs may dodge China's Great Firewall, but also 'leak sensitive data': report

PUBLISHED : Thursday, 02 July, 2015, 8:00am
UPDATED : Friday, 03 July, 2015, 11:46pm

Fourteen of the world's most popular virtual private network (VPN) services may be leaking sensitive customer data, a new report has revealed.

According to researchers from the Queen Mary University of London and the University of Rome, VPN users may not be safe from snooping as they think.

"Users who believe themselves to be anonymous and secure will be in fact fully exposing their data and online activity footprint," the researchers said (pdf).

Provider Countries Servers IPv6 leak DNS hijacking
Hide My Ass 62 641 Y Y
IPVanish 51 135 Y Y
Astrill 49 163 Y N
ExpressVPN 45 71 Y Y
StrongVPN 19 354 Y Y
PureVPN 18 131 Y Y
TorGuard 17 19 N Y
AirVPN 15 58 Y Y
PrivateInternetAccess 10 18 N Y
VyprVPN 8 42 N Y
Tunnelbear 8 8 Y Y
proXPN 4 20 Y Y
Mullvad 4 16 N Y
Hotspot Shield Elite 3 10 Y Y

Table: VPN services subject to the study (Source: QMUL/UR)

The VPNs in question include popular services Hide My Ass, IPVanish and Astrill.

A spokeswoman for Hide My Ass said that the company was aware of the report and had solved an issue with DNS configuration, she added that the company was working to address issues with IPv6. Astrill and IPVanish did not respond to requests for comment. 

The main vulnerability identified in the report was “IPv6 traffic leakage". IPv6 is the latest version of the communications protocol that provides an identification and location system for routing traffic across the web.

VPN services operate by tunnelling traffic through a protective protocol such as OpenVPN, L2TP or PPTP. All data should therefore pass through the VPN in an encrypted form.

However, almost all VPN services examined by the researchers did not tunnel IPv6 traffic effectively, if at all.

"Although not a serious problem some years ago, increasing amounts of traffic is now IPv6, bringing the problem to criticality," the report said.

According to Google, around 7 per cent of global internet traffic is IPv6. In the United States, it shears above 20 per cent.

Another potential vulnerability identified in the paper was "DNS hijacking, which works by redirecting queries about domain name systems to a server controlled by the attacker.

DNS servers translate domain names (such as into the corresponding IP address. This allows the user’s machine to talk to the server hosting the desired website, and display it on their browser.

"Despite the criticality of the DNS resolution process, we found that most VPN services do not take significant steps to secure it," the researchers said.

Astrill was the only VPN provider examined by the researchers which provided some protection against DNS hijacking.

The report also criticised VPN service providers for exposing users to "misinformation" about their products. "A common misconception is that the word 'private' in [VPN] is related to the end user's privacy, rather than to the interconnection of private networks," it reported.

VPNs are popular in Western countries for making traffic anonymous and bypassing regional blocks on services such as BBC iPlayer or Hulu, the American ad-supported streaming service.

However, as the paper found, their effectiveness in the former role is questionable.

In China, VPNs are used by many people seeking to bypass internet restrictions put in place by the so-called Great Firewall. Twitter, Facebook, YouTube and Instagram are all blocked in China due to the Communist Party’s concerns about people mobilising online.

Beijing recently cracked down on VPN usage on the Chinese mainland, much to the dismay of its tech savvy citizens, who increasingly resort to them.

"There are a variety of reasons why someone might want to hide their identity online and it's worrying that they might be vulnerable despite using a service that is specifically designed to protect them," Gareth Tyson, co-author of the study, wrote online.

"We're most concerned for those people trying to protect their browsing from oppressive regimes,” he wrote.

“They could be emboldened by the supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions."