Updated May 13, 2020, with an explanation from VPNpro

Two prominent VPN services may have been hacked by a malicious software update, researchers at news site VPNpro have discovered If you were using one of them, your computer could have been completely taken over by almost any type of malware without you realizing it

Two VPN services, Betternet and PrivateVPN, have since fixed the flaw Before that, however, it was possible to infect Betternet and PrivateVPN client software on Windows PCs with fake software updates downloaded via a man-in-the-middle attack

"Rather than protecting users' data, PrivateVPN and Betternet overlooked important security aspects that would allow malicious actors to steal that data or commit even more nefarious acts," the VPNpro report states

VPNpro researchers examined 20 widely used VPN services: Betternet, CyberGhost, ExpressVPN, Hideme, HMA (Hide My Ass), Hola VPN, Hotspot Shield, IPVanish, Ivacy, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, TorGuard, TunnelBear, TurboVPN, SurfShark, VyprVPN, Windscribe

There were no problems with the 14 VPN services However, it was possible to intercept client-server communications for six VPN services, including Hotspot Shield and Hideme However, neither of these two pieces of software actually connected to the VPNpro proof-of-concept malicious servers

Four of the services' client software did connect to VPNpro's malicious servers Two of them, CyberGhost and TorGuard, did not download updates to the malicious software installed by VPNpro

Betternet and PrivateVPN both downloaded; Betternet's client software did not automatically install malicious updates and encouraged users to do so (The PrivateVPN client automatically installed the update

The described attack was not purely academic or confined to a laboratory environment

"Let's say you are connecting to free Wi-Fi in a cafe or at the airport Before you connect to the Internet, you connect to a VPN" Then you receive a notification to install recent updates to your VPN tool

"Of course, it's important to keep your software up to date, so you do," VPNpro said, adding that doing so could install ransomware, spyware, or virtually any kind of malware on your computer

The best way to avoid such attacks is to avoid downloading software updates from untrusted or open Wi-Fi networks, VPNpro said It is all too easy for pranksters and criminals to set up malicious Wi-Fi hotspots with innocuous names like "Starbucks Wi-Fi" or "AT&T Free Hotspot"

And of course, no matter how malware gets into your computer, running the best anti-virus program will help you avoid most malware attacks

After receiving blowback from some VPN providers that fell into the "intercepted" but not completely hacked category, VPNpro added the following paragraph to its initial report

If the VPN responded "Yes" to the question "Can we intercept the connection", this means that the VPN software did not add certificate pinning or similar procedures that would prevent interception of communications with the update network request This means that the VPN software did not have the ability to pin certificates or intercept communications with renewal network requests As a result, 6 VPNs were able to intercept connections, while 14 VPNs had proper certificate pinning in place

In general, some readers mistakenly believe that "intercepting communications" means intercepting communications between the user and the VPN server, when in fact our study is about updates and client endpoints, not touching VPN connections

If a VPN is "connected while being intercepted? This means that the VPN software established a connection to the VPN server during the malicious connection If the answer is "No" it means that the connection was not made In our tests, 4 of the top 20 VPNs established this connection and 16 did not

However, since our POC was based on pushing fake updates through apps and these VPNs (CyberGhost, Hotspot Shield, Hide Me, TorGuard) did not accept them, we did not consider this a vulnerability We did not consider it a vulnerability