It is quite common for smartphone users to search for free VPNs which enables them to access certain banned websites. A recent study by WizCase reveals that a free VPN service is exposing the personal information of millions of users. According to the study, Quickfox, a free VPN service that users use to access Chinese websites from outside China has leaked millions of users’ personal information. The leaked information includes names, contact numbers, software on users’ devices, and more. According to WizCase, Quickfox is exposing millions of users’ data and you do not need any login details to view this data. Furthermore, this data is not even encrypted thus it is very exposed.
The most affected users in this leak are folks from the U.S., China, Japan, Indonesia, and Kazakhstan. However, this leak mostly reveals information about Chinese users that stay outside China. Of course, these folks will want to get information from Chinese websites. Since some Chinese websites can only be accessed from within China, this VPN becomes useful. However, this report shows that the VPN service is not safe.
Quickfox is completely free – its source of income is questionable
Fuzhou Zixun Network Technology Co., Ltd. owns Quickfox, and an incomplete ELK (Elasticsearch, Logstash, and Kibana) stack security is the cause of the leak. Quickfox does not have access restrictions for its Elasticsearch server. This makes it possible for anyone to access Quickfox logs and extract sensitive information on Quickfox users.
Gizchina News of the week
Below is a list of information that Quickfox reveals and this information was exposed between June 2021 and September 2021.
- Name
- Phone number
- MD5 hashed passwords (with special techniques, direct passwords are vulnerable)
- Device type details
- The IP address assigned to a user
- Original IP address of user
- Softwares in users device
- File locations
- Software installation date
- Software version number
It is interesting to note that most of the information above is irrelevant for VPN services. Thus, it is suspicious that Quickfox is collecting this information. Furthermore, Quickfox’s terms of use or privacy is not available. There is no telling whether or not these users are aware that the VPN service is collecting this information.
This leak leaves users vulnerable to phishing, fraud, scams, password leak, account takeover, and more. As of now, there is no official comment from Quickfox regarding this report. WizCase contacted Quickfox but there is no reply for now. It is important to do a quick search on a VPN service before using it. Any service needs a way to make money. Thus, if the service is entirely free, you need to be more careful.