Exploit for ZenMate VPN revealed detailed information about the victim and real IP address

Three-and-a-half million users of the well-known ZenMate VPN tunneling provider were exposed to a complete takeover of their account for less than a day. How is this possible? It turned out that the application contains a serious security bug that allows the disclosure of the authentication ID and secret token, by means of which you can log in to the account of the victim and change the password. This is only half of the bad news. The second half is no less drastic, because the researcher has also managed to easily retrieve information about the victim, namely:

  • Information about the account ID.
  • Victim's e-mail address.
  • A list of all e-mail addresses used (including those used previously).
  • Information about the subscription and type of account.
  • The country the victim is from.
  • Detailed information about the device from which you logged in.
  • The victim's real IP address.
  • Complete deanonymization when the user uses the VPN.

All this was possible due to the vulnerability in the browser extension allowing XSS attack, in this case injection into the "manifest.json" file of the domain to which the extension referred and retrieved malicious code.

Some of the ZenMate VPN extension manifest looks like this:

...trimmed for brevity…
{
  "js": [
    "scripts/page_api.js"
  ],

  "matches": [
    "*://*.zenmate.com/*",
    "*://*.zenmate.ae/*",
    "*://*.zenmate.ma/*",
    "*://*.zenmate.dk/*",
    "*://*.zenmate.at/*",
    "*://*.zenmate.ch/*",
    "*://*.zenmate.de/*",
    "*://*.zenmate.li/*",
    "*://*.zenmate.ca/*",
    "*://*.zenmate.co.uk/*",
    "*://*.zenmate.ie/*",
    "*://*.zenmate.co.nz/*",
    "*://*.zenmate.com.ar/*",
    "*://*.zenmate.cl/*",
    "*://*.zenmate.co/*",
    "*://*.zenmate.es/*",
    "*://*.zenmate.mx/*",
    "*://*.zenmate.com.pa/*",
    "*://*.zenmate.com.pe/*",
    "*://*.zenmate.com.ve/*",
    "*://*.zenmate.fi/*",
    "*://*.zenmate.fr/*",
    "*://*.zenmate.co.il/*",
    "*://*.zenmate.in/*",
    "*://*.zenmate.hu/*",
    "*://*.zenmate.co.id/*",
    "*://*.zenmate.is/*",
    "*://*.zenmate.it/*",
    "*://*.zenmate.jp/*",
    "*://*.zenmate.kr/*",
    "*://*.zenmate.lu/*",
    "*://*.zenmate.lt/*",
    "*://*.zenmate.lv/*",
    "*://*.zenmate.my/*",
    "*://*.zenmate.be/*",
    "*://*.zenmate.nl/*",
    "*://*.zenmate.pl/*",
    "*://*.zenmate.com.br/*",
    "*://*.zenmate.pt/*",
    "*://*.zenmate.ro/*",
    "*://*.zenmate.com.ru/*",
    "*://*.zenmate.se/*",
    "*://*.zenmate.sg/*",
    "*://*.zenmate.com.ph/*",
    "*://*.zenmate.com.tr/*",
    "*://*.zenmate.pk/*",
    "*://*.zenmate.vn/*",
    "*://*.zenmate.hk/*"
  ],

  "run_at": "document_start"
}...trimmed for brevity...

The author managed to inject the registered domain "zenmate.li" and put on it a malicious code revealing data about the victim:

// Make call to Content Script to get all user data
__zm.getData(function(results) {
    console.log(
        results
    );
});

By adding the following line, you can disable the victim VPN connection:

// Turn off VPN
__zm.toggle(false);

The only security issue was for users who used the browser extension instead of the application installed in the operating system.

The gap was reported on May 28 at 2:15 am in the morning. Producer at 2:38 confirmed the problem. The update of the extension has been made public at 21 PM:

May 28, 2:15am – Disclosed issue via security contact email address.

May 28, 2:38am – Confirmed by vendor.

May 28, 9:00pm – Patch issued for Chrome and Firefox extensions.

The author has prepared a website where you can check the vulnerability if someone has not yet updated the plugin. We can not check, but according to the researcher's words, detailed information about the connection will be revealed and the VPN will be turned off. Just like this video:

VPN in the browser or in the system?

Definitely in the system, because then all network traffic is encrypted. The extension installed in the browser will only encrypt network traffic through the HTTP / S protocol on ports 80, 8080 and 443 - and depending on the VPN provider - the connection will use the DNS servers of the VPN service provider or external vendor to find out which sites they visit user. This is another trap lurking on the imprudent who would like to hide from the world. VPNs were not created for privacy, but to increase security.

If we were to recommend a supplier, then NordVPN is probably the best choice. In the most favorable 2-year plan, NordVPN offers more than 4,000 output servers from 62 countries around the world. So there is a lot to choose from. For those who would like to take advantage of the NordVPN offer, we recommend our affiliate link, which will give you a small percentage after each purchase.

NordVPN client applications are available for almost all operating systems: Windows, macOS, iOS, Apple, Linux and many more. NordVPN supports the P2P protocol (not all VPNs do), so you can download legitimate torrents without any problems. In addition, NordVPN uses its own DNS server, so no other DNS communication node will log websites visited. And most importantly, the company NordVPN is registered in Panama and does not store any logs - there is no such obligation.

VPN protects the device owner from imprudence or imprudence when logging in to Internet services. Secures, among others before the vulnerability of KRACK on Wi-Fi and allow to avoid restrictions on services or websites imposed by government dictatorships.

Recently, ZenMate VPN was the hero of another article. Unfortunately, in the same context, i.e. security problems. It is worth considering seriously whether to change the supplier.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.