Breaking News

Hotspot Shield VPN threatens your privacy by injecting ads and JS into browsers

The CDT urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

The digital rights advocacy group Center for Democracy & Technology (CDT) urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive trade practices.

AnchorFree provides the Hotspot Shield VPN app claiming it allows to protect users from online tracking, but, according to a complaint filed with the FTC, the application gathers data and shares it according to its privacy policy.

“The Center for Democracy & Technology asks the Federal Trade Commission
(Commission) to investigate the data security and data sharing practices of Hotspot
Shield Free Virtual Private Network (VPN) services, a product of AnchorFree, Inc.
Hotspot Shield Free VPN promises secure, private, and anonymous access to the internet.” reads the compliant. As detailed below, this complaint concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act. “

The VPN service injects ads and JavaScript code for advertising purposes into user’s browser when connected through Hotspot Shield exposing them to online monitoring.

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

The experts that analyzed the source code of the application discovered the company is using several tracking libraries, it is very curious considering the company’s motto was “Don’t let ISPs monetize your web history: Use Hotspot Shield,”.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting
JavaScript codes using iframes for advertising and tracking purposes. An iframe, or
“inline frame,” is an HTML tag that can be used to embed content from another site or
service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage. Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the” continues the compliant.
“VPN uses more than five different third-party tracking libraries, contradicting 34
statements that Hotspot Shield ensures anonymous and private web browsing.”

The CDT claims the VPN application gathers location data to optimize the advertising features, and it collects IP addresses, unique device identifiers, and other information (SSID/BSSID network names, MAC addresses, and device IMEI numbers.).

Although IP address and unique device identifiers are private personal information, the AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Importantly, the Privacy Policy makes clear that neither IP addresses nor unique device identifiers are considered to be personal information by Hotspot Shield” states the complaint.

The CDT filing argues AnchorFree collects more data than normally needed to VPN service providers for their operations.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hotspot Shield, VPN)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.