This week, ZDNet published an article about a security researcher who had found a vulnerability in our Hotspot Shield application for Windows. This bug, the researcher claimed, allowed the leakage of the Wi-Fi network name that Windows users on some Hotspot Shield versions were connecting to.
With our commitment to transparency, we felt it important to let our users know precisely what happened, and to clarify that while we agree that the Wi-Fi network name could have been leaked due to the bug, this vulnerability did not leak any personally identifiable information. A fix to the Wi-Fi network name vulnerability was released on February 6, and Hotspot Shield users remain secure. The vulnerability is no longer there.
To provide some more context on this, back on December 20, 2017, a researcher submitted a request to Hotspot Shield detailing a security vulnerability. Our security team was made aware of the issue and began testing it for proof of concept. After a thorough evaluation, our team was not able to find any proof that this bug could lead to leaks of personally identifiable information. We also could not create any scenario in which the provided proof of concept would lead to deanonymizing our users.
However, we did discover that in some cases generic information such as a user’s country or their Wi-Fi network name could be exposed. ZDNet confirmed that it too could not replicate claims of any leakage other than the Wi-Fi network name and country.
The vulnerability only affected Windows users and did not affect users on any other platform. All other Hotspot Shield platforms, as well as all our partners, were never exposed to the vulnerability.
We have sent the fix to the ZDNet reporter and the researcher who found this vulnerability for their independent verification, but at this moment, they have not responded to us to either confirm or deny our fix.
We want to make it clear that we acknowledge a vulnerability was found, and we want to thank the researcher for bringing it to our attention. We appreciate and fully encourage ethical disclosure of vulnerabilities of any level of severity, and we invite any security researcher to contact us at firstname.lastname@example.org. We remain committed to the safety and protection of our users, and we’re constantly working on improving our products, leveraging feedback from our users and third-party security experts who audit and test our products.
We realize that over 550 million people around the globe install trust in us to protect their online activities and keep them safe. It is our mission at AnchorFree to continually put their interests first and ensure a safe, secure, and open internet for all. We want to thank our users for their continued support.