黑基Web安全攻防班
安基网 首页 资讯 安全报 查看内容

VPN软件Hotspot Shield(热点盾)曝安全漏洞 泄漏用户敏感信息

2018-2-8 10:50| 投稿: xiaotiger |来自: 互联网


免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!

摘要: 当你想要在互联网上隐藏身份的时候,一个虚拟专用网络(VPN)就是你所需要的。它能够在公用网络上建立一个专属于你的个人专用网络,并对通讯进行加密。随着互联网的发展,市面上的VPN产品有很多,Hotspot Shield(热 ...

当你想要在互联网上隐藏身份的时候,一个虚拟专用网络(VPN)就是你所需要的。它能够在公用网络上建立一个专属于你的个人专用网络,并对通讯进行加密。

随着互联网的发展,市面上的VPN产品有很多,Hotspot Shield(热点盾)就是其中一个。它是由著名的VPN软件开发公司AnchorFree开发的一款高速VPN代理软件,同时支持多台设备上线。

AnchorFree设计Hotspot Shield的初衷旨在为全球互联网用户提供安全的、匿名的、有隐私的浏览体验。Hotspot Shield通过自动搜索Wi-Fi网络来实现加密网络传输,基于这种特点,它也可用来作为破网软件,以访问受到屏蔽的网站

Hotspot Shiel一度成为全球最受欢迎的VPN产品之一,到目前为止,其在全球拥有超过5亿的用户量。

不过,独立安全研究员Paulos Yibelo在上个月发现,Hotspot Shield存在一个严重的安全漏洞,会泄露用户的敏感信息。

该漏洞在美国国家漏洞数据库(NVD)中被标识为CVE-2018-6460(目前处于待分析状态),根据漏洞描述我们得知,它允许攻击者提取有关运行Hotspot Shield客户端计算机的详细信息。另外,攻击者可以根据这些信息判断用户是否连接了VPN、连接的是什么VPN以及真实IP地址是什么。

另据报道,Hotspot Shield的开发商AnchorFree公司已经在一定程度上承认了这一漏洞的存在,并承诺会进行更新以保证用户的信息安全。

Yibelo解释说,Hotspot Shield客户端在其本地Web服务器上托管敏感的JSONP端点,返回各种值和配置数据,这一切都可以帮助潜在的攻击者隐秘地获得敏感信息。

漏洞的描述中也写道:“用户控制的输入未被充分过滤,未经身份验证的攻击者可以使用参数‘unc = $ _ APPLOG.Rfunc’向‘/status.js’发送POST请求,并提取有关计算机的敏感信息。”

知名媒体ZDNet的研究人员通过使用Yibelo发布的概念验证代码(PoC)证实了漏洞的可用性。PoC从Hotspot Shield托管在用户计算机上的Web服务器(托管在端口895上)中的JavaScript文件中调用,以返回多个敏感数据(包括计算机的配置细节)。

尽管Yibelo声称在某些情况下他能够获得Hotspot Shield用户的真实IP地址,但ZDNet在测试期间没有获得它们。AnchorFree的营销传播副总裁Tim Tsoriev也否认了Yibelo关于IP地址暴露的说法,并表示该漏洞既不会泄漏用户的真实IP地址,也不会泄露任何个人信息。

话虽如此,Tsoriev在向ZDNet发表声明时确实提到了这个漏洞可能会暴露一些通用信息(如用户所处的国家)。

值得注意的是,Yibelo早已将漏洞通报给了AnchorFree公司。自从12月以来,AnchorFree就应该意识到Hotspot Shield漏洞的存在,但该公司并没有对Yibelo的发现作出任何回应,这才导致Yibelo最终决定公开披露这个漏洞及其PoC。

本文由 黑客视界 综合网络整理,图片源自网络;转载请注明“转自黑客视界”,并附上链接。

, groupId: 6519984015338897934, itemId: 6519984015338897934, type: 1, subInfo: { isOriginal: false, source: 黑客视界, time: 2018-02-08 09:07:54 }, tagInfo: { tags: [{"name":"网络安全"},{"name":"软件"},{"name":"信息安全"},{"name":"黑客"}], groupId: 6519984015338897934, itemId: 6519984015338897934, repin: 0, }, has_extern_link: 0 }, commentInfo: { groupId: 6519984015338897934, itemId: 6519984015338897934, comments_count: 1, ban_comment: 0 }, mediaInfo: { uid: 76207630046, name: 黑客视界, avatar: //p3.pstatp.com/large/46e80003c98b9bfd77be, openUrl: /c/user/76207630046/, follow: false }, pgcInfo: {"media_info":{"open_url":"/c/user/76207630046/","avatar_url":"https://p3.pstatp.com/large/46e80003c98b9bfd77be","media_id":1584317604543502,"name":"黑客视界","user_verified":false},"articles":[{"item_id":"6519984015338897934","url":"/item/6519984015338897934","title":"VPN软件Hotspot Shield(热点盾)曝安全漏洞 泄漏用户敏感信息"},{"item_id":"6519983913798992388","url":"/item/6519983913798992388","title":"Mixpanel公司产品SDK错误 将客户密码置于泄露边缘"},{"item_id":"6519983796916322830","url":"/item/6519983796916322830","title":"超人气网游《最终幻想XIV》遭遇持续长达3小时的DDoS攻击"},{"item_id":"6519983697112859150","url":"/item/6519983697112859150","title":"语法检查工具Grammarly曝高危漏洞 四行代码就能访问用户隐私文档"}]}, feedInfo: { url: /api/pc/feed/, category: __all__, initList: [{"comments_count":44,"media_avatar_url":"//p2.pstatp.com/large/1202/4132403020","is_feed_ad":false,"is_diversion_page":false,"title":"OPPO软件商店为应用安全保驾护航,获行业认可!","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6519624125890167310/","source":"互联泛观察","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/615b000276062f4954bd","group_id":"6519624125890167310","is_related":true,"media_url":"/c/user/3470901117/"},{"comments_count":0,"media_avatar_url":"//p3.pstatp.com/large/403a0002682adf7a89e3","is_feed_ad":false,"is_diversion_page":false,"title":"物联网十大不得不防的安全威胁","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518960063862800909/","source":"旭龙物联","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e8a0002eb039d3da349","group_id":"6518960063862800909","is_related":true,"media_url":"/c/user/72758191127/"},{"comments_count":1,"media_avatar_url":"//p9.pstatp.com/large/3b0400013b5a55f77c23","is_feed_ad":false,"is_diversion_page":false,"title":"redis-保护好redis服务器,做好必要的安全设置","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519816129911718413/","source":"运维菜","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/615f0002e75d6eb0d8fe","group_id":"6519816129911718413","is_related":true,"media_url":"/c/user/5001249733/"},{"comments_count":128,"media_avatar_url":"//p3.pstatp.com/large/97e001782cc4692ae03","is_feed_ad":false,"is_diversion_page":false,"title":"推动行业革新,newifi新路由获2017年度物联网优秀项目奖","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6519648799609061892/","source":"FUN科技","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/615d0001b21bf20dea06","group_id":"6519648799609061892","is_related":true,"media_url":"/c/user/50008393588/"},{"comments_count":20,"media_avatar_url":"//p6.pstatp.com/large/5b5c0005192611f539b6","is_feed_ad":false,"is_diversion_page":false,"title":"你知道UI设计师吗?UI即User Interface(用户界面)的简称","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518980328407695876/","source":"互联网品生活","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e8c0001364c47ac6739","group_id":"6518980328407695876","is_related":true,"media_url":"/c/user/81965157751/"},{"comments_count":3,"media_avatar_url":"//p1.pstatp.com/large/5e6f0005db109a18f23f","is_feed_ad":false,"is_diversion_page":false,"title":"不吹不黑:关于比特币,只看这一篇文章就够了","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6519341407839191555/","source":"疯子般de我","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/6158000456f32e8760bf","group_id":"6519341407839191555","is_related":true,"media_url":"/c/user/88755467012/"},{"comments_count":261,"media_avatar_url":"//p3.pstatp.com/large/54000005a37650e7bcee","is_feed_ad":false,"is_diversion_page":false,"title":"所有“福”字写法都在这了,5分钟集齐五福!","single_mode":true,"gallary_image_count":33,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519708555816206855/","source":"唯一的你和我","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p3.pstatp.com/list/190x124/615c0003467d2b6a7772","group_id":"6519708555816206855","is_related":true,"media_url":"/c/user/63994702180/"},{"comments_count":0,"media_avatar_url":"//p1.pstatp.com/large/5b530001cb5778f1c438","is_feed_ad":false,"is_diversion_page":false,"title":"那些你不知道的支付安全问题都在这里了!","single_mode":true,"gallary_image_count":6,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6517828293884903949/","source":"网络安全晴雨表","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e7e00006f343e53e499","group_id":"6517828293884903949","is_related":true,"media_url":"/c/user/58990202758/"},{"comments_count":79,"media_avatar_url":"//p2.pstatp.com/large/1594/4178971776","is_feed_ad":false,"is_diversion_page":false,"title":"全时联网PC能否带动PC市场销量上升?","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519754578861228558/","source":"科技辣评","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":91296,"image_url":"//p3.pstatp.com/list/190x124/615e00025d2d32d00d8f","group_id":"6519754578861228558","is_related":true,"media_url":"/c/user/1906208955/"},{"comments_count":120,"media_avatar_url":"//p3.pstatp.com/large/97e001568b324c7eeb3","is_feed_ad":false,"is_diversion_page":false,"title":"延续多年战略合作,谛听联想共迎区块链产业新机遇","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6519754339928506888/","source":"科技小强","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/615a0004b7b351691387","group_id":"6519754339928506888","is_related":true,"media_url":"/c/user/50000143979/"},{"comments_count":19,"media_avatar_url":"//p3.pstatp.com/large/3e6b000192cf8321888f","is_feed_ad":false,"is_diversion_page":false,"title":"我们常说的短连接长连接和socket和http到底有什么关系","single_mode":true,"gallary_image_count":6,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519385969999741444/","source":"全栈步道者","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p3.pstatp.com/list/190x124/615b00013f7181cd1b4a","group_id":"6519385969999741444","is_related":true,"media_url":"/c/user/63038537572/"}] }, shareInfo: { shareUrl: https://m.toutiao.com/group/6519984015338897934/, abstract: 当你想要在互联网上隐藏身份的时候,一个虚拟专用网络就是你所需要的。它能够在公用网络上建立一个专属于你的个人专用网络,并对通讯进行加密。

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!


鲜花

握手

雷人

路过

鸡蛋

相关阅读

发表评论

最新评论

最新

返回顶部