CyberGhost VPN’s website says it’s the most ‘trusted and secure VPNs in the world‘. I decided to question this and see how this could be incorrect. One thing that I did not like the sound of was the advertising feature which would be shown to users on connection of their service, this seemed a viable vector for a user to be able to have themselves tracked, so I looked further.

Straight after installation there is a mixture of requests, one of them being downloading ‘Additional Components’. These use HTTP instead of HTTPs, which is strange, I’m unsure why, because a certificate is installed and HTTPS is used later on.

We are then given a choice of HTTPS or HTTP when going to the start up, using sslstrip could help us achieve what we could use as a vector here. The code later redirects to a logging image. This code is used to track the user and log down their times, mostly for the advertising but also gives a userid values at some points.

The SSL isn’t even owned by CyberGhost VPN but indeed Cloudflare, Cloudflare haven’t got the greatest track record for SSL security and I thought being the biggest VPN that would be a priority.

Visiting https://advertiser.cyberghostvpn.com redirects you to the admin login, which provides attackers a clear easy way to get the admin folder in which the source provides a piece of information vital for fingerprinting the server. I couldn’t see any rate limiting on the login or the forgot my password feature which could allow bruteforcing as well, and all round bad start for security at advertiser.cyberghostvpn.com

One thing to learn from a quick glance at CyberGhost VPN, they’re not all that.

EDIT: CyberGhost VPN provided me a response within 24 hours. I like to keep things open in these instances, although there are still some things I disagree on.

Email #1

Hi there, Just stumbled upon your blog post “CyberGhost VPN – I got 99 Problems and I’m sure SSL is one” and found it quite interesting. Thanks a lot for critically looking at our declarations about privacy. That’s what we always encourage our users to do and that’s one of the basics that helps us to improve over time. For your information you might like to know the following: – Yes, it’s true, we are using advertiser to deliver ads, but you should know that we solely use our own advertiser to deliver our own offers.

– It’s also true that we look for updates via non SSL connections – but all our updates are digitally signed. So the non-HTTP requests you saw are made by our update system that uses HTTP to bypass problems. For security the update itself is signed with a private key, the corresponding public key is integrated into CyberGhost (a RSA key only used for this intend, not a public certificate, which can be faked). Every update will be checked before applaying.

– The additional components you saw are due to the installation of the Gecko engine. (Per default CyberGhost operates with the Internet Explorer engine. If the Gecko engine is being demanded, it means that you either use Windows XP or at least an outdated version of IE.)

Response #1

Thanks for responding to the article so quickly, many just ignore the articles and update silently. That’s why I didn’t send an email out to CyberGhost, it’s good to hear that you are happy about the article. 1. Although you have slightly rectified that right now but 403’ing the redirects, I didn’t like how open your service was for attackers. Although I didn’t extensively try, it seemed rather too easy to find the admin panel and bruteforce some logins for my liking. 2. I still don’t understand why HTTPS was not used aswell as your signing as most of your other requests are HTTPS. I don’t think you should provide the option of either HTTP or HTTPS in advertiser. either http://itsjack.cc/blog/wp-content/uploads/2015/07/b.png, as I’ve outlined in the article have you thought about changing your Cloudflare SSL?

Email #2