A team of five researchers from London and Rome found that 14 from the world's leading Virtual Private Servers (VPN) has leaked IP data.
Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Rome's Sapienza University, along with Gareth Tyson, and Hamed Haddadi of Queen Mary University of London report that vendors promise to protect the privacy of their users not applicable.
"Although a well-known issue, an experimental study reveals that most VPN services suffer from IPv6 traffic leaks," say study authors A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients [PDF].
"Our findings confirm the criticality of the current situation: in many of these [14] providers, there are total leaks, or a critical part of user traffic in mild environments.
"The reasons for these shortcomings are different, and if nothing else vague, or their nature has been little explored."
The team reviewed top companies such as: Hide My Ass, PrivateInternetAccess, and IPVanish.
They have made OpenWrt IPv6 dual stack connections via IPv4 Wi-Fi networks with Ubuntu, Windows, OSX, iOS 7 and Android updates.
So they created a simulated environment where users trust VPNs to protect them from a hostile network.
All but the Astrill provider was open to IPv6 DNS hijacking attacks and only four companies did not leak IPv6 data.
No company was resistant to both threats.
Researchers report:
"Our project initially started as a general investigation, but we soon discovered that there is a serious vulnerability in IPv6 traffic leaks that is pervasive in almost all VPN services. A further security check revealed two DNS hijacking attacks that allowed us to access all of the victim's movements and traffic. "
Researchers have discovered that the most common VPN tunnelling technologies are based on obsolete technologies such as PPTP with MS-CHAPv2, which could break with brute-force attacks.
The "vast majority" of commercial VPNs, according to the researchers, suffer from dual stack data leakage into IPv4 and IPv6 networks in such a way that they expose "significant amounts" of traffic contrary to the claims of the supplier.
"The most important thing we found is that the small amount of IPv6 traffic leaking out of the VPN channel has the potential to expose the entire user browsing history, even if it only surfs IPv4 web pages."
“While all VPN clients use the IPv4 routing table, they tend to ignore the IPv6 routing table. In addition there are no rules to redirect IPv6 traffic to the tunnel. This can cause all IPv6 traffic to bypass the VPN virtual interface. Although it was not a serious issue a few years ago, the increasing amounts of traffic that now exist over IPv6 make it a critical issue. "