Craig Silverman (tweet, also: Nick Heer):
Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.
Paul Bischoff (via Hacker News):
Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.
[…]
More than two weeks after we sent a disclosure to UFO VPN, the company shut down the database and responded by email[…]
“We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.” [sic]
But based on some sample data, we do not believe this data to be anonymous.
A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.
[…]
A few days later, on July 5, the data silo was separately discovered by Noam Rotem’s team at VPNmentor, and it became clear the security blunder went well beyond UFO. It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.
And they were all leaking data onto the internet from that unsecured Elasticsearch cluster, VPNmentor reported.
Via Nick Heer:
There is nothing inherently wrong with white labelled goods and services, but I do think their use is inadequately disclosed. It is detrimental to our understanding of what we are buying and makes it hard to compare different products.
Previously: