Researchers WizCase has discovered a leak in QuickFox, a free VPN service that is primarily used to visit Chinese websites outside China. In the leak, they found personal details of a million users, including names and phone numbers.
It was not difficult for the researchers to access this data. The data was neither password-protected nor encrypted.
Quickfox is a free VPN app aimed at Chinese people who live outside of China and still want to visit Chinese websites. Some Chinese websites can only be visited from China itself. With such geographical restrictions, the IP addresses of visitors are checked to see if they are in the correct region.
With a VPN, you can get around such restrictions by connecting to a VPN server in the correct country. You then take the IP address of the VPN server, making it seem like you are in China, for example.
Cause of the leak
The leak was caused by the open-source programs QuickFox used to perform searches in large amounts of data, not secured was. Access to one of the programs, Elasticsearch, was not secured. This allowed everyone to view the dataset. The server contained QuickFox logs and therefore personal data of QuickFox users.
Data from 1 million users
The researchers found 100GB of data on the server that they could easily access. They found the personal data of approximately 1 million QuickFox users. Personal information included email addresses, phone numbers, details about devices used, and encrypted passwords.
The passwords were encrypted using MD5 hashing, a method that does not stand up well to modern password cracking techniques. The IP addresses assigned to users by the VPN and the original IP addresses of users were also visible in the dataset.
Information about other apps
Of 300,000 users, information about the software that could be found on their devices in addition to the QuickFox was also found on the server. This allowed the researchers to see which other apps a user had on their device. The installation date and version of the app were also included in the data.
It is strange that a VPN stores such information as it is not necessary for the VPN app to function. Good VPN providers keep as little data of users as possible because they choose a VPN to better protect their privacy online. The data from QuickFox is therefore remarkable, to say the least.
If you have used QuickFox in 2021, it is wise to be extra wary of online scams. Because your personal information may be known to scammers, they can make their phishing emails appear more credible. Also, it never hurts to change your passwords.
Curious about which VPNs work in China and protect your privacy? We made a list of the best VPN providers for China.
Catch up on more articles here
Follow us on Twitter here