"Zero Logs" VPN Company Exposes Millions Of User Logs - https://www.youtube.com/watch?v=Ag1o3koTLWM

Leonard Helplessness

kiwifarms.net
https://www.zerohedge.com/technology/zero-logs-vpn-company-exposes-millions-user-logs (archive)


"Zero Logs" VPN Company Exposes Millions Of User Logs
https://www.zerohedge.com/users/tyler-durden

A Hong Kong-based UFO VPN - which claims a 'zero logs' policy, maintained a database without any password, exposing over 20 million user logs per day which consisted of 894 GB of data.

The logs reportedly included passwords, IP addresses, geographical location, connection timestamps, session tokens, device information and the OS used.

This is in stark contrast to UFO VPN's stated privacy policy that "We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services."

1595192990987.png



The exposure, discovered by Comparitech security's Bob Diachenko, was discovered after search engine Shodan.io indexed the server hosting the data. Diachenko discovered the exposed data four days later and notified UFO VPN. Two weeks later, he notified the hosting provider, and the next day - more than two weeks after UFO VPN was notified, the database was secured.
If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.
The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.
IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.
The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.
Email addresses could be used to target users with tailored phishing messages and scams. -Comparitech
https://archive.vn/o/t1mUK/https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/
The company told Comparitech in an email: "Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed," adding "We don’t collect any information for registering."


"In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked."
Comparitech disagrees, and believes that the exposed data was not anonymous.

UFO VPN says it has 20 million users, and claims to offer "bank grade protection" in addition to their "zero log" policy. It's focus is unblocking content such as region-locked streaming service Netflix, as well as blocked apps and websites.
 

Jimmy Durante's Ballsack

Live a little
kiwifarms.net
This is why I do all of my shady/embarrassing shit offline and in places with poor lighting.

You can't trust any of these companies. As soon as your data leaves your person, is stored on your internet-connected computer, or worse is put on "the cloud", it's effectively out there for everyone. Either you come to terms with that or you keep an airgapped system hanging around for your QuickBooks and fanfic.
 

Cowboy Kim

Mecha-Mania Boy
kiwifarms.net
>trusting a chinkware no-name vpn
If you honestly do this, you deserve anything that comes to you.
In all honesty, this seems like one of those shady free VPN apps you find on Google Play that only a completely exceptional individual would use.
I can safely say that the only people affected are normie's & literal children.
 
  • Like
Reactions: DanteAlighieri

Splendid

Ignore mods. Report and negrate their posts.
True & Honest Fan
Retired Staff
kiwifarms.net
I'm not shocked that a Hong Kong based company would do this, even when they were a free "country," they were still pretty controlled.
 

On a toilet

kiwifarms.net

2138_1255

kiwifarms.net
I wouldn't put it past unscrupulous 3-letter agencies (in other words, all of them) to set up honey-pot "VPN companies" to lure in the careless. Kind of like the Tor exit node circus...

Also amusing is the 'faith' placed in "logs", which are nothing but text files that a first-day unix sysadm can alter, right down to the date/time "saved".
 
  • Like
Reactions: Prinz von Preußen

XYZpdq

fbi most wanted sskealeaton
True & Honest Fan
kiwifarms.net
Also amusing is the 'faith' placed in "logs", which are nothing but text files that a first-day unix sysadm can alter, right down to the date/time "saved".
yeah I never really got why anybody ever assumes any of these are legit
 

3119967d0c

"a brain" - @REGENDarySumanai
True & Honest Fan
kiwifarms.net
Also amusing is the 'faith' placed in "logs", which are nothing but text files that a first-day unix sysadm can alter, right down to the date/time "saved".
Ah. Is your argument that if these were used to target you, you could argue at court that some nerd edited them in Emacs? Do you think that would protect you?
 

2138_1255

kiwifarms.net
Ah. Is your argument that if these were used to target you, you could argue at court that some nerd edited them in Emacs? Do you think that would protect you?
...if the company involved had previously admitted to altering "user" content? I'd be a fool *not* to bring it up.
 
Tags
None