Free VPNs based in Hong Kong caught logging

Several free VPN apps based in Hong Kong logged internet activity from millions of users then left that data unsecured on the internet for anyone to find. This batch of fake no log VPNs was discovered by the research team at VPNMentor, who published the results on their blog on July 15th, 2020 after notifying both the offending VPNs and relevant authorities and confirming that the exposed server was finally being protected. The release was delayed so as to protect the personally identifiable information of the VPN users from additional exploitation.

The full list of offending VPN services discovered by VPNMentor include:

• UFO VPN
• FAST VPN
• FREE VPN
• Super VPN
• Flash VPN
• Rabbit VPN

As part of their internet security research, VPNMentor scours the internet for unsecured servers such as the Elasticsearch server found with VPN logs from all these VPN companies. The information wasn’t just left on the open web unsecured, but it was also unencrypted. It’s unknown whether other third parties were able to access the VPN logs stored by these companies but the mere thought of the logs existing and being used by the VPN apps themselves should be scary enough for most VPN users.

The discovered logs contained personally identifiable information

To confirm the authenticity of the database, the VPNMentor team downloaded the UFO VPN app and sure enough the open database was updated. VPNMentor stated that immediately after registering and using the UFO VPN app, they noticed their logs start to show up:

“Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to.”

Through their research, VPNMentor also discovered that these supposedly independent VPN apps all seem to be made by the same company and team of developers. They share functionality, website designs, and other indicators that they rely on the same whitelabeled codebase. The smoking gun, so to speak, is that these supposedly independent VPN apps share the same unprotected Elasticsearch server for storing the VPN logs that they tell their millions of customers that they don’t keep. According to VPNMentor’s probing, these logs included:

• Connection logs, traffic, and sites visited
• Origin IP addressesInternet Service Provider (ISP)
• Actual location
• Device type
• Device ID
• App version
• Phone models
• User network connection

Fake no logs VPNs are hard to hold accountable

When called out by VPNMentor, one of the offending VPNs even lied about the origin and content of discovered logs. The relevant authority in Hong Kong, the Hong Kong’s Computer Emergency Response Team (HKCERT), wasn’t able to do anything and responded to VPNMentor’s report as such:

“We have notified the ASN of the IP you mentioned for follow-up. Since the country of the IP location is US, and the log you provided cannot show the information is related to Hong Kong. Would you please contact US-Cert for help or provide more information indicates that the data leakage incident is related to Hong Kong?”

While it may be possible for a properly geolocated user of one of these apps to sue the offending VPN companies under GDPR or CCPA, this whole episode should remind VPN users that verifying the no logging claims of a VPN company is a step that can’t be skipped. As the names of the offending VPNs might suggest, it seems these VPN apps were targeted at more unsophisticated and unsuspecting VPN users. Remember that these free VPNs all (still) claim to keep no logs, but their lie has been laid out for all to see. If you are a use of any of these VPN apps, it’s a good idea to uninstall them immediately.