Free Chinese VPN exposed data from over a million users
Users may not have been aware of data collection, suggest researchers
Cybersecurity researchers have discovered unencrypted data of about a million users of Quickfox, a free virtual private network (VPN) service primarily used to access Chinese sites from outside of mainland China.
Commenting on the find, WizCase says that the data exposed a variety of personally identifiable information (PII) of the users of the service, including their names, phone numbers, and more.
“There was no need for a password or login credentials to see this information, and the data was not encrypted. Based on the records exposed, our team estimates that the breach affected at least a million Quickfox users,” writes WizCase.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- These are the the best VPN services
- We’ve also rounded up the best business VPN services
- Take a look at our collection of the best proxy services
The security researchers claim that they tried bringing the leak to the attention of Quickfox, but the free VPN provider hasn’t yet responded to their hails.
Overzealous collection
The data was discovered through a misconfiguration in Quickfox’s ElasticSearch server thanks to incomplete ELK stack security.
The researchers explain that ELK (Elasticsearch, Logstash, and Kibana) are three open source applications that help streamline searches through large files, such as the logs of an online service like Quickfox.
“Quickfox had set up access restrictions from Kibana, but had not set up the same security measures for their Elasticsearch server. This means that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users,” explained WizCase.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The total leaked data was made up of over 500 million records and totaled over 100GB. About a million of these records had PII of users, including MD5 hashed passwords, which WizCase claims can’t withstand modern password crackers.
Worryingly however, the leaked data didn’t just contain the IP address assigned to the user, but also the user’s original IP address from which they connected to the VPN service. WizCase was also surprised that the service collects data about the other software installed on the user’s device.
“It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services. We could not find Quickfox’s terms of use or privacy policy to confirm whether or not users were aware of the information that Quickfox is extracting,” WizCase observes.
- These are the best working VPNs for China
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.