Virtual Private Networks used to encrypt users’ information against surveillance and hacking could actually leak private data due to a newly discovered vulnerability.
The vulnerability, called IPv6 leakage, was found to affect systems of 11 out of 14 popular VPN providers studied by Queen Mary University of London (QMUL) researchers.
The researchers conducted an experiment attempting two types of common cyber-attacks that could be used to gather user data – passive monitoring, which simply collects unencrypted information as they pass through an access point, and DNS hijacking, in which Internet traffic is redirected through the hackers' web servers disguised for common websites.
The leaked data included a range of information including which websites the user was visiting and the actual content of the communication exchanged with the servers, such as comments posted on user forums.
Websites running the HTTPS encryption which include financial transaction were found to be safe.
The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic.
The team tested various devices including smartphones and tablets. They found the vulnerability was less likely to affect systems running on Apple’s iOS operating software than Google’s Android.
“There are a variety of reasons why someone might want to hide their identity online and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them,” said Dr Gareth Tyson, a lecturer at QMUL and co-author of the study.
“We’re most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions.”
Virtual Private Networks, used by about 20 per cent of web users, protect people’s anonymity online by encrypting their communication. They offer a legal way to prevent surveillance or even access geographically limited services such as Netflix and BBC iPlayer.