3 Major Free Apps Exposed For Secretly Stealing Your Data
By 813 Staff

A full year after security researchers first flagged the vulnerabilities, three of the most popular free VPN applications on the market are still shipping code that exposes user traffic to interception. Internal documents seen by this publication show that the developers behind these tools were privately notified through coordinated disclosure channels as far back as mid-2025, yet none of the three vendors has issued a patch or even acknowledged the severity of the flaws in a public advisory. The reason this is breaking now, according to engineers close to the project, is that the researchers responsible for the initial discovery grew frustrated with the silence and ultimately decided to publish technical details yesterday through an independent security bulletin, which was then amplified by The Hacker News (@TheHackersNews).
The vulnerabilities, collectively tracked as privilege-escalation and DNS-hijacking bugs, allow a malicious actor with local network access — think a compromised coffee shop Wi-Fi or a rogue ISP node — to silently reroute a user’s encrypted tunnel through an insecure channel. In one case, engineers close to the project say the misconfiguration stems from a third-party library that has not been updated since 2022. The three affected apps, which this outlet is not naming pending confirmation of remediation plans, collectively claim over 50 million installs across Android and Windows. The rollout of any fix has been anything but smooth; one vendor reportedly pushed a beta update to its GitHub repository last week that crashed on launch, suggesting rushed engineering rather than a deliberate security response.
Why this matters is straightforward: millions of users who downloaded these VPNs believing they were encrypting their traffic have been operating under a false sense of security for over twelve months. The apps are free, which means their business models rely on ad revenue or data monetization — and in this case, the security architecture appears to have been treated as an afterthought. What happens next remains uncertain. One of the development teams has told The Hacker News it intends to ship a patched version within the next two weeks, but no timeline has been provided for the other two. Users who rely on free VPNs for privacy, whether to bypass geo-restrictions or protect browsing on public networks, should treat any security claims from these vendors with skepticism until independent audits confirm the fixes. The entire episode underscores a persistent failure in the consumer VPN market: disclosure without enforcement is little more than a courtesy.
Source: https://x.com/TheHackersNews/status/2076664277226950723
