Security investigators discovered critical vulnerabilities in top VPN apps being offered It's free for Android devices. Vulnerabilities allow attackers to execute Man-in-the-Middle attacks and steal sensitive data of users.
This VPN application is used by users into a 150 countries.
Security investigators examined the SuperVPN and found that it was being sent sensitive encrypted data via unsecured HTTP.
Also, the VPN application contains one decryption key that allowed researchers decrypt the data.
This leads to finding sensitive data about him server the SuperVPN, its certificates and the credentials that the VPN server needs to authenticate.
Attackers can use this information and replace the actual SuperVPN server data with false server data.
The severity of the vulnerabilities
According to experts, attackers can exploit VPN vulnerabilities and monitor users' communications and activities. In this way, they can gain access to sensitive data such as sites visited by users. In addition, they can steal usernames and passwords, photos, videos, messages and more.
According to researchers, “some applications have their encryption keys in the VPN application. This means that even if the data is encrypted, the hackers they can easily be decrypt using these keys ”.
VPN developers have released some of the keys to help attackers gain access access to encrypted user data.
“In 2016, SuperVPN had only 10.000 downloads. Now, it has more than 100 million. Although many articles stated that SuperVPN was malicious, has not yet been removed from the Play Store", The researchers said.