- Is Trump defiling the U.S. flag in this MAGA dude’s artwork? Sunday 4:41 PM
- White woman claims she invented sleep bonnets, selling them for $100 Sunday 4:03 PM
- Even real cats are transfixed by the enigma that is the ‘Cats’ trailer Sunday 3:04 PM
- Wait, how tall is Peppa Pig? Sunday 1:55 PM
- Twitter suspends Iranian state media outlets for harassing members of a religious minority Sunday 1:06 PM
- Pro-MAGA pageant queen stripped of title over ‘offensive’ tweets Sunday 11:52 AM
- Marvel unveiled its Phase 4 plans at San Diego Comic-Con Sunday 9:16 AM
- How a queer Instagram is helping fight the opioid epidemic in Appalachia Sunday 6:30 AM
- Philadelphia to fire 13 officers for racist, violent Facebook posts Saturday 6:12 PM
- Nick Offerman is so down to play every single role in ‘Cats’ Saturday 4:27 PM
- Woman documents how airport staff broke her wheelchair Saturday 3:04 PM
- Funeral home allegedly posted photos of woman’s dead body on social media Saturday 1:56 PM
- Alinity Divine is being investigated after throwing her cat during stream (updated) Saturday 12:04 PM
- ‘Comedians In Cars Getting Coffee’ returns with Seinfeld making a racist joke about China Saturday 10:26 AM
- YouTubers Eugenia Cooney and Shane Dawson make a joint comeback Saturday 9:06 AM
Den Rise/Shutterstock (Licensed)
Here’s what you need to know.
A test conducted by cybersecurity researcher and ethical hacker John Mason of the Best of VPN found 10 of 15 Chrome VPNs leaked queries from domain name servers (DNS), or the protocol used to translate a normal domain name (like www.dailydot.com) to an IP address so a browser can load it.
The issue stems from a Chrome feature called DNS prefetching, which is designed to reduce latency by guessing what website you’re about to visit and pre-loading its IP address. For example, if you hover over a link, Chrome will make a DNS request, so the site loads faster once you press on it.
Obviously, VPNs should not be leaking data to an observer and potentially giving them the tools to track your browsing habits. The point of a VPN is to securely access a private network and remotely tunnel encrypted data to it. By leaking DNS requests, the VPN undermines its entire purpose.
“VPN extensions shouldn’t leak DNS data as it’s similar to IPs, can be used to see where a user is and one major use of VPNs is anonymity,” Mason wrote in an email to the Daily Dot. “They should block all kinds of outgoing DNS queries while they are running or route it through them.”
Without getting too technical, DNS data is leaked because DNS prefetching continues to operate when one of two VPN extension modes is in use. This allows bad actors to create web pages that force visitors to leak DNS requests and gives ISPs the ability to collect the URL of a user’s favorite websites.
Mason posted a list of the 10 VPN extensions he tested that leaked DNS requests.
- Hola VPN
- HotSpot Shield
- VPN Unlimited
- ZenMate VPN
- Ivacy VPN
“Since A LOT and I mean A LOT of users use the web extensions to browse anonymously, this is a severe hole in it,” Mason said. “For example, HolaVPN has over 8 million users, Tunnelbear more than 700k. Both of them leak DNS. This only happens with web extensions though, if you use a VPN app, this won’t affect you.”
He also outlined steps for users to determine whether their VPN leaks DNS. They are as follows:
- Activate the Chrome plugin of your VPN.
- Go to chrome://net-internals/#dns.
- Click on “clear host cache.”
- Go to any website to confirm this vulnerability.
If your VPN is leaking requests, you can navigate to your Chrome settings, type “predict” in “search settings” and disable “Use a prediction service to help complete searches and URLs typed in the address bar” and “Use a prediction service to load pages more quickly.”
If you want to use a VPN, we suggest downloading a full app, which won’t be affected by this strange vulnerability. Here is a list of the five best VPN apps.
We have reached out to Google and will update this article if we learn more.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.