A group of researchers from the universities in London and Rome have conducted a study that reveals many top VPN providers leaking IPv6 data. VPN is mainly used to protect one’s identity over the internet, bypass geo restrictions and internet censorship, and keep your data safe from theft and fraud.
The paper published by these researchers included 14 different VPN providers that were part of the study and is called ‘A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients.’ The research concluded that many of these providers leaked all or part of critical user traffic.
The basis of this conclusion was formed by conducting experimental studies, in which the researchers explained that the vulnerability is mainly driven by all VPN providers manipulating the IPv4 routing table and ignoring the IPv6 routing table. Since no changes or rules are added to the IPv6 traffic to be tunneled through the VPN, this results in data leakage.
The table from the study shows that apart from four VPN providers (TorGuard, PIA, VyprVPN and Mullvad) the rest leak your data online through IPv6. While apart from one provider (Astrill), the rest are susceptible to DNS hijacking.
Many of these VPN providers have responded to these allegations placed by this research. For instance, PureVPN were reported to have said that value the security of their users very seriously and have deployed a designated team looking into this issue. While AirVPN was reported to have said that they had resolve this matter at its roots many months before the publication of this paper by allowing users to have IPs from VPN gateway and VPN DNS server.
TorGuard responded to this research by introducing a new feature that prevents IPv6 leakage for Windows, Mac and Linux clients. In terms of DNS hijacking, TorGuard responded that this could only occur (in theory) if you are connect to a compromised Wi-Fi network.
On the other hand, Privateinternetaccess (PIA) criticized the study to be flawed and making inaccurate observations. PIA went onto report that its Windows client is safe and although the researchers did a good job in presenting a detailed analysis on DNS hijacking, the methods of reporting and disclosure were improper.
Are you unsure if your VPN provider is leaking your data? For now, we know that users of IPv4 clients are safe. The cause for concern is for users of IPv6 clients. Since many of the providers are stilling working around this problem or have added a new features, our advice is that you disable the IPv6 settings on your Windows, Mac and Linux operating systems and contact your respect VPN providers to get further assistance.