A team of Wizcase’s security researchers (being led by Ata Hakcil), revealed a crucial leak in Quickfox, that was exposing the personal data of at least a million users, including their names, cell phone numbers, software installed on their device, and much more.
According to the research, Quickfox is a China-based free VPN service by Fuzhou Zixun Network Technology Co., Ltd. This VPN is mainly used by citizens living abroad who want to access the Chinese geo-restricted websites in their countries.
Wizcase disclosed that the exposed user data was not encrypted, and there wasn’t any need for login credentials or a password to view this information. They further stated that they asked the company for a statement but have not received any response.
Image Credits: Wizcase (An Authentication request leaking sensitive information)
How Did it Happen and Who was Involved?
The researchers identified the leak in the ElasticSearch server of Quickfox. Since the target audience of this VPN are the expatriates of China, this VPN offers multiple servers within the country so the users can access Chinese geo-restricted sites.
The leak was due to incomplete ELK (Elasticsearch, Logstash, and Kibana) stack security. ELK are three open-source software known to streamline searches through huge files, for example, the logs of a VPN service like Quickfox.
While the VPN service had configured access restrictions from Kibana, the same security measure was not set up on Elasticsearch. Due to this, any person having access to an internet connection and a browser could access the Quickfox logs and extract users’ personally identifiable information (PII).
The IP addresses discovered in the leak revealed that this mostly affected the users living in the US, Kazakhstan, Japan, and Indonesia.
What Information of Users was Leaked?
The critical leak exposed approximately 500 million records, which totals 100+ GB of data. The information exposed was of two types; personal data of around a million users and different software located on above 300K users’ devices.
Here is a list of the exposed information in detail. All this information was leaked between June 2021 and September 2021:
- Mobile number
- The IP address assigned to a user
- Device type details
- The original IP address of a user
- File locations
- Softwares in users device
- Software version number
- MD5 hashed passwords (with special techniques, direct passwords are vulnerable)
- Software installation date
Image Credits: Wizcase (Software on users device by name, installation date, and version)
What are the Potential Risks of this Data Leak and How to Protect Yourself?
If you’ve been a Quickfox user in 2021, then you need to be vigilant about the potential risks listed below:
1. Scams and Frauds:
The information leaked in this data breach could be discovered by hackers and result in scams and fraudulent acts. For example, hackers might call you, pretend to be important people, and use your PII to build trust. Once that’s done, they might try to extract more sensitive data from you, like your credit card details.
This is why you should not trust every call you get and should share limited information with organizations.
2. Phishing Attacks:
With exposed data, phishing attacks become extremely easy. For example, a hacker might send you an email that might look like it’s from Quickfox and may contain a link that might release a virus on your device. Since they’d have a lot of your PII, the act would look extremely convincing and real.
You need to learn how to protect yourself from a phishing attack for this. In this case, just call up the organization and verify the email before sharing any personal information or clicking on any link present in it.
3. Passwords Leaks:
One hacking technique that will never get old is cracking users’ passwords to access their accounts. Unfortunately, users usually use the same password on multiple accounts for easy recalling, making themselves vulnerable to account takeovers.
This is why it’s highly recommended to keep a separate password for all your accounts and change passwords every 90 days. Also, just so you know, if you own a Microsoft account, then you can go completely passwordless on it. This means that you’d have an account less to protect with a password.
Well, it’s not just Quickfox exposing sensitive user information to the world. Recently, a popular SMS routing company disclosed comprising data of users for five years, including their credentials, text messages, and more.
But, free VPN services have always been risky to use. Since these VPNs do not charge you any money, many of them cost you your privacy and sensitive information. This is why you should always use the best VPN service and thoroughly go through its terms of service before subscribing.