Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.

Attackers can intercept a VPN’s “communications and force the apps to download a fake update,” researchers from VPNPro who discovered the flaws wrote in a blog post.​ “The app may automatically apply the fake update, or send the user a notification to update the app.”

The researchers told SC Media they “were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – with a lot of users “trusting these tools to provide them with more security and privacy, not less.”

After testing 20 VPNs, the researchers reported their findings to Betternet and PrivateVPN – and both rolled out patches, on April 14 and March 26, respectively. There’s “no evidence that these vulnerabilities were exploited,” the researchers told SC.