Cyber security
14 popular VPN services have serious security vulnerabilities that are rendering their users' data not as secure as you would think Reuters

If you have been paying for a virtual private network (VPN) to anonymise your traffic online, you should know that VPNs might not be that secure after all.

UK and Italian cybersecurity researchers have discovered that 14 of the world's top commercial VPN providers, including Hide My Ass, IPVanish, Astrill, ExpressVPN and StrongVPN are open to having their DNS servers hijacked.

VPNs work by fielding users' internet traffic through a protective communication protocol across the web, so that you cannot tell where it originated from, and this is useful in not just protecting a user's activities, but also to help trick geographically restricted video content services such as Netflix, BBC iPlayer and the NBC TV app service.

Researchers from Queen Mary University of London and the Sapienza University of Rome also found 10 of the VPNs also leak either all or a critical part of users' traffic from the IPV6 protocol, a new protocol used today now that IPV4 addresses have been almost completely used up.

ProviderCountriesServersIPv6 leakDNS hijacking
Hide My Ass62641YY
IPVanish51135YY
Astrill49163YN
ExpressVPN4571YY
StrongVPN19354YY
PureVPN18131YY
TorGuard1719NY
AirVPN1558YY
PrivateInternetAccess1018NY
VyprVPN842NY
Tunnelbear88YY
proXPN420YY
Mullvad416NY
Hotspot Shield Elite310YY

Table: How 14 top VPN providers ranked online (Queen Mary University of London)

"Whereas our work initially started as a general exploration, we soon discovered that a serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services," the researchers wrote in their report.

"In many cases, we measured the entirety of a client's IPv6 traffic being leaked over the native interface. A further security screening revealed two DNS hijacking attacks that allow us to gain access to all of a victim's traffic.

"The most alarming situation is where individuals use VPN services to protect themselves from monitoring in oppressive regimes. In such cases, users who believe themselves to be anonymous and secure will be in fact fully exposing their data and online activity footprint."

The researchers said the VPN providers were not taking significant steps to prevent DNS hijacking and out of the 14 VPN providers tested, only Astrill had security measures against DNS hacking.

They also criticised the VPN providers for not advertising their products properly to end users, who might assume their data is kept completely private, when it is not.

"A common misconception is that the word 'private' in the VPN initialism is related to the end user's privacy, rather than to the interconnection of private networks," the researchers wrote.

"In reality, privacy and anonymity are features that are hard to obtain, requiring a careful mix of technologies and best practices that directly address a well-defined adversarial/threat model. In other words, there is no silver bullet within this domain."