Yesterday VPN.ac went on the record to announce its discovery that rival VPN, TorGuard, has in fact copied the design for its Chrome extension. The discovery, which was made by one of VPN.ac’s customers, was first announced on Twitter where it caused quite a stir amongst the technology and infosec community.
Following the announcement, VPN.ac soon added a blog on the discovery to its website. In it they explain that not only has TorGuard stolen its design (a move that is strictly prohibited according to its terms of service,) but has also been using its geolocation API server address. That geo-IP API server belongs to VPN.ac, and it is now hosting this picture on it to prove that it is theirs.
VPN.ac has also revealed that by using its API server TorGuard has implemented its browser proxy service in an entirely insecure way, meaning that users of TorGuards Chrome extension have in fact not been receiving the secure service that Torguard’s product promises,
‘An advice to Torguard: when copying someone else’s work, please also consider your users.’
Explaining why they decided to go public with the announcement, VPN.ac’s blog says,
‘We make this public to avoid the awkward moment when someone might accuse us of copying them and not the other way around.’
This move, however, was not strictly necessary considering that anybody can use a program like CRX source viewer to view the open source code for its app. In this way, anyone can quickly verify within the webstore, that TorGuard’s app is indeed nearly entirely an imitation.
Add to this the fact that VPN.ac released its Chrome extension on December 17, 2014, and that even its Firefox extension was released in advance of TorGuard’s Chrome extension (this May), and you get a pretty clear picture of what has happened.
In its blog, VPN.ac was quick to point out just why using someone else’s API is such a huge mistake,
‘Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor.’
Luckily for TorGuard, VPN.ac had no reason to log user IP addresses (because they offer a secure service and don’t look at IP addresses themselves). The truth, however, is that TorGuard have gotten off lightly because a more malicious competitor could have redirected them or forged the JSON replies to mess-up with the extension’s functionality. This sentiment was reiterated by Twitter user @blowdart who said,
‘@vpnac missed a chance for mischief, could have returned much more interesting things as location strings.’
In its blog, VPN.ac also goes on to explain other security aspects involved in the copycat extension, explaining, almost unbelievably, that TorGuard had failed to copy the most important parts of the code,
‘Not everything from our app was copied (they missed the good parts!), for example, the storage of credentials and the update of active servers via JSON queries:
- TorGuard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials.
- TorGuard gets the up-to-date list of proxy gateways over HTTP (again in clear-text); we get them over HTTPS (A+ on Qualys/mirrored results): from Torguard’s background.js, from our background.js;
- The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack;
- TorGuard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirrored (in case you don’t want to wait for the test to finish). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2)’
Luckily for TorGuard customers’ VPN.ac has not behaved in a harmful way, or decided to engage in any form of revenge tactics. Instead electing to move forward by simply announcing its discovery to the world – a move that it can not be faulted for.
For this reason, although we advise current TorGuard users to not be overly worried about the security breach, we do strongly recommend moving away from its VPN service in favour of something that has not been proven to be a total security let down.
Sadly, we have not been able to get a response out of TorGuard following the discovery. In fact, the only reply to the issue was directed at VPN.ac’s Twitter where it simply replied ‘K THX’ to the allegations. Not exactly an encouraging response to such an enormous issue from a reputable brand that has been caught with its trousers down.
Since the announcement, TorGuard has removed VPN.ai’s geo API servers from its app, but remains unapologetic for maliciously copying its app design.