Hotspot Shield VPN threatens your privacy by injecting ads and JS into browsers

Pierluigi Paganini August 08, 2017

The CDT urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

The digital rights advocacy group Center for Democracy & Technology (CDT) urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive trade practices.

AnchorFree provides the Hotspot Shield VPN app claiming it allows to protect users from online tracking, but, according to a complaint filed with the FTC, the application gathers data and shares it according to its privacy policy.

“The Center for Democracy & Technology asks the Federal Trade Commission
(Commission) to investigate the data security and data sharing practices of Hotspot
Shield Free Virtual Private Network (VPN) services, a product of AnchorFree, Inc.
Hotspot Shield Free VPN promises secure, private, and anonymous access to the internet.” reads the compliant. As detailed below, this complaint concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act. “

Anchorfree Hotspot Shield

The VPN service injects ads and JavaScript code for advertising purposes into user’s browser when connected through Hotspot Shield exposing them to online monitoring.

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

The experts that analyzed the source code of the application discovered the company is using several tracking libraries, it is very curious considering the company’s motto was “Don’t let ISPs monetize your web history: Use Hotspot Shield,”.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting
JavaScript codes using iframes for advertising and tracking purposes. An iframe, or
“inline frame,” is an HTML tag that can be used to embed content from another site or
service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage. Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the” continues the compliant.
“VPN uses more than five different third-party tracking libraries, contradicting 34
statements that Hotspot Shield ensures anonymous and private web browsing.”

The CDT claims the VPN application gathers location data to optimize the advertising features, and it collects IP addresses, unique device identifiers, and other information (SSID/BSSID network names, MAC addresses, and device IMEI numbers.).

Although IP address and unique device identifiers are private personal information, the AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Importantly, the Privacy Policy makes clear that neither IP addresses nor unique device identifiers are considered to be personal information by Hotspot Shield” states the complaint.

The CDT filing argues AnchorFree collects more data than normally needed to VPN service providers for their operations.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hotspot Shield, VPN)

[adrotate banner=”13″]



you might also like

leave a comment