A study conducted by researchers at Queen Mary University of London has shown that many VPN networks leak information about their users. This information could be as broad in scope as the websites users were visiting, and as detailed as the actual content of messages they were sending to other parties. The have published a paper titled A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (pdf) after investigating 14 popular services on the market today. The researchers stated that though the VPN providers send data through an encrypted tunnel, the problems arise during the second stage of the VPN client’s operation: traffic redirection. This means that changes to the routing table (whether they are malicious or accidental) could result in traffic circumventing the VPN tunnel and being leaked to via interfaces. The research paper notes “The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface.”
TorrentFreak reached out to the VPN providers to record their comments on this grave issue which can put VPN users identity in jeopardy. One of the VPN providers, PureVPN noted that “take the security of our customers very seriously and thus, a dedicated team has been assigned to look into the matter.” While another VPN, AirVPN stated that“At least for AirVPN the paper is outdated.” They added, “We think that the researchers, who kindly sent the paper to us many months in advance and were warned about that, had no time to fix [the paper] before publication. There is nothing to worry about for AirVPN. Current topology allows us to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.” TorGuard said that they knew about whitepaper and have been working to address the issues it raises. The company adds that while The Register’s “the sky is falling” coverage of yesterday is “deceptive”, the study does illustrate the need for providers to stay vigilant. It said it has also launched a new IPv6 leak prevention feature on Windows, Mac and Linux. On the DNS hijacking issue, TorGuard provides the following detail, Another leading VPN provider, Private Internet Access said that, PIA panned the research paper on various fronts, including incorrect claims about its DNS resolver. PIA has also published a response in which it says that its Windows client is safe. However, the PIA has commended the researchers presenting a detailed analysis of the DNS hijacking method but criticised it for presenting the same wrongly. The above disclosures by the researchers affect only IPv 6 clients so if you are using IPv 4, your privacy is safe. IPv 6 users may contact their service provide to patch the issues noted by the researchers.
