Loading

多款香港VPN应用程序在网上泄露了用户的私人数据 【中英对照翻译】

新闻来源:《Technadu》;作者:Bill Toulas;发布时间:July 16, 2020 2020年7月16日

翻译/简评:文明明;校对:孙行者;审核:InAHurry;Page:拱卒

简评:

VPN 对大多数人来说并不陌生,相信很多人都有使用VPN的经历。对于墙内的人来说,使用VPN的主要目的是想登录国内不允许使用的网站,因为这是我们在国内跨过防火墙,获得墙外真实信息的唯一途径。当然这是有风险的。

因为自己无法查证真伪,非专业人士很容易相信这些VPN公司承诺的“无登录记录”,以为这样可以降低被网警发现的风险,孰不知这些无良公司为了利益,向广大用户提供了不完善的系统和虚假承诺,置用户于危险之中。因此,我们在谴责这些不良的商业行为的同时,也要多学习一些网络安全的知识,提高风险意识,不要贪图一时小利(使用免费Apps)而影响到自己和家人的安全。就象我们常说的那样,天下没有免费的午餐。

原文:

Several Hong Kong-Based VPN Apps Exposed Their Private User Data Online

多款香港VPN应用程序在网上泄露了用户的私人数据

• Seven Hong Kong-based VPN products have been proven to be recording massive amounts of user data.

• The products have been storing this data on an unprotected Elasticsearch instance in a common server.

• The data is very revealing, including names, emails, passwords, IP addresses, home addresses, and more.

• 有事实证明,七种香港的VPN产品正在记录大量的用户数据。

• 这些产品将数据存储在没有保护措施的弹性搜索(Elasticsearch)引擎的公共服务器上。

• 数据泄露了大量的信息,包括用户姓名、电子邮件、密码、IP地址、家庭地址等。

A group of seven VPN products that are supposedly “no-log” services has exposed 20 million users by leaving a server unprotected online. All seven of the products come from the same Hong Kong-based developer, Dreamfii HK Limited, which is the reason why they were using the same Elasticsearch server.

这一组七个被认为是提供“无登录记录(no-log)”服务的VPN产品由于没有对服务器采取保护措施而在网上暴露了2000万用户。由于这七种产品全部来自同一家香港开发商Dreamfii HK Limited,所以它们使用的是相同的Elasticsearch服务器。

The exposed VPNs are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. The number of files that were online exceeded a billion and the total data size was about 1.2 TB.

被曝光的VPN是UFO VPN,FAST VPN,Free VPN,Super VPN,Flash VPN,Secure VPN和Rabbit VPN,被泄露的文件数量超过10亿,总数据量大约为1.2 TB。

The compromised user data includes the following:

  • Internet activity logs
  • Names
  • Email addresses
  • Passwords in plain text form
  • IP addresses
  • Home addresses
  • Smartphone device models and IDs

被泄露的用户数据包括以下内容:

  • 上网登录记录
  • 用户姓名
  • 电子邮件地址
  • 纯文本形式的密码
  • IP地址
  • 住家地址
  • 智能手机设备型号和ID

Source: Comparitech Blog

For “no-log” VPNs, this is way too much data to be collected, so these products’ marketing promises are straight out false. The exposed users are now running the risk of getting scammed, extorted, phished, or even arrested and prosecuted if they accessed websites that are banned in their home countries.

对于“无登录记录” VPN来说,这种方式收集的数据实在是太多了,因此这些产品的营销承诺显然是错误的。如果用户访问本国被禁网站的信息被泄露,他们将面临被骗、被勒索、被钓鱼、甚至被逮捕和起诉的风险。

These apps enjoyed very good user rating scores on the Apple App Store and the Google Play Store, so they were trusted by millions of people. The fact that they’re free, though, should be enough for the users to expect issues when it comes to these products’ privacy and security.

这些应用程序在Apple App Store和Google Play商店中获得了很高的用户评分,因此受到了数百万人的信任。为用户提供免费使用的事实足以使用户忽略了这些产品的隐私和安全问题。

Both Ran Locar and Bob Diachenko, who independently located the unsecured instance, have informed the owners of the VPN services about the security issue, but they were unresponsive. The date of discovery and notification is July 5, 2020, and the live server was not closed until ten whole days had passed. This is indicative of a VPN company that doesn’t care and comes as a topping on the cake of insecurity and bad practices followed across the board.

Ran Locar和Bob Diachenko经过独立调查,发现了网络不安全实例并将安全问题通知了提供VPN服务的公司,但他们没有得到公司的回应。他们发现问题并发出通知的日期是2020年7月5日,但是直到十天后实时服务器才关闭。这表明VPN公司的高层并不在乎产品的安全性和不良的商业运作。

These VPN products will lose some users due to this incident, but the news won’t reach everyone, and free products are always a good lure for new users in the future.

这些VPN产品将会因此而失去一些用户,但是这样的新闻不可能传达到所有人,免费产品在将来还是会吸引新的用户。

As we have explained before, the only way to be certain about the validity of a VPN product’s “no logs” policy is to trust audits carried out by independent firms. For example, NordVPN has recently passed an audit of this kind, and PureVPN did the same last year. These are trustworthy products not because they make reassuring claims on their respective websites, but because they paid an auditing firm to thoroughly investigate their claims and confirm them as truthful.

正如我们之前所解释的,确认VPN产品的“无登录记录(no-log)”政策是否有效的唯一方法是由独立公司进行信用审核。例如,NordVPN最近通过了此类审核,PureVPN去年也进行了同样的审核。这些产品值得信赖,不是因为它们在各自的网站上向用户再三保证,而是因为他们请审计公司对他们的产品进行彻底的调查来确认它们的产品政策的真实性。

编辑:【喜马拉雅战鹰团】Edited by:【Himalaya Hawk Squad】