Cybersecurity scholars have discovered unencrypted data from around a million users of Quickfox, a free virtual private network (VPN) service used primarily to access Chinese sites from outside mainland China. Commenting on the discovery, WizCase claimed that the data exposes users of the service's personally identifiable information (PII), including their names, phone numbers and more. “There was no need for access codes or login credentials to view this information and the data was not encrypted. Based on the exposed recordings, our team estimates that the breach affected at least one million Quickfox users,” WizCase writes. Security scholars say they tried to bring the leak to Quickfox's attention, but the free VPN vendor still hasn't returned their calls.
Overzealous Collection
The data was discovered through a misconfiguration on Quickfox's Elasticsearch server due to incomplete security of the ELK stack. Researchers explain that ELK (Elasticsearch, Logstash, and Kibana) are three open source applications that help speed up searches for large files, such as the logs of an online service like Quickfox. “Quickfox had built in access limitations from Kibana, but it hadn't built in exactly the same security measures for its Elasticsearch server. This means that anyone with a browser and an Internet connection can access Quickfox logs and extract proprietary information about Quickfox users,” WizCase explained. The total data breach consisted of more than half a billion records and totaled more than one hundred GB. About a million of those records contained personal user information, including MD3 hashed access keys, which WizCase says cannot withstand modern hackers. However, it is alarming that the leaked data does not only contain the IP address assigned to the user, but also the original IP address of the user from which he had connected to the VPN service. WizCase was also surprised that the service collects data about other software installed on the user's device. “It is not known why the VPN was aggregating this data, as it is superfluous to their processing and not a standard practice seen with other VPN services. We were unable to locate Quickfox's terms of service or privacy policy to confirm whether users were aware of the information Quickfox collects,” notes WizCase.