Vulnerabilities in two VPNs opened door to fake, malicious updates

Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.

Attackers can intercept a VPN’s “communications and force the apps to download a fake update,” researchers from VPNPro who discovered the flaws wrote in a blog post.​ “The app may automatically apply the fake update, or send the user a notification to update the app.”

The researchers told SC Media they "were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – with a lot of users "trusting these tools to provide them with more security and privacy, not less."

After testing 20 VPNs, the researchers reported their findings to Betternet and PrivateVPN – and both rolled out patches, on April 14 and March 26, respectively. There's "no evidence that these vulnerabilities were exploited," the researchers told SC.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.