Help - Urgent - IPinator VPN leaks MacOS login-password in clear text

[TraderStf]

Hello guys,

I don't know where to report this, I hope some of you have contacts or ideas.

Briefly, I test a lot of VPN and I tried IPinator VPN (IPV) from the stacksocial deal, 15$. I am not concerned, angry, victim and of course don't use it. I did not pay, got it from stacksocial commission.

IPV macOS client puts the login and password, the one to login into your macintosh, in clear text in the logs. Client uses an applescript. If I am not mistaken, in System Preferences, you can allow Apple (and Third parties) to receive logs.

~3 months ago, I have informed Stacksocial of the following facts but they did not even answered! Today, IPV is again at the top of their daily newsletter!

I hope one of you can trigger the bell to avoid more victims.

Sorry it's a bit messy.

Thanks,

Stéphane

ipinator.com popnetmedia.com streamunblocker.com reviewster.com ... http://domainbigdata.com/name/rob%20boirun

Rob Boirun Rob@boirun.com

• leaks macOS login/password in logs

• mac unique ID is sent on internet (url) in clear text during registration

• just a cosmetic copy of hide-my-ip.com app

• March 2016, I warn the developpeR (no s)... no change since.

• sells streamunblocker.com (STU), a copy of IPV, pretending it's just a 'smart-DNS' app

• misleading and intentionnaly twisted advertising, lifetime access but not to premium servers, you just get a kind of 'membership'.

• google to see that a lot of buyers never received their serial, in my case took 2 months to get a working one, for just few months, see previous point !

• recommands IPV and STU on his own online magazine http://reviewster.com/about-us/ http://reviewster.com/tnt-stream-unblocker-review/ http://reviewster.com/new-vpn-service-from-ipinator-vpn-is-1-click-easy/ BTW, it's rated as 3rd 'best for t0rrent1ng'... to get an idea about that guy, he was selling a dvd/blue-ray copy/convert tool... for backup purpose of course!

[gripedthumbtacks]

That should teach you a valuable lesson about untrusted software that has not undergone a security assessment. Also, any software can be backdoored by your nation state to own you even if it is relatively secure. Apart from contacting their security team, they don't have any obligation to fix it. But you can incentive them by going to a news organization to shame them into fixing it aftwr 90 days have passed with no fix and to show a light on the issue to would be customers.

[TraderStf]

@9Yg1rxeSeha90ZU1 what's that for a comment... it's not the point at all... I don't need, complain, just try to stop them, there is only one crook. if you know any vpn with security assessment...

[gripedthumbtacks]

Yes @ioerror has evaluated numerous VPN solutions and debunked nearly all of them. You can read his assessment reports

[TraderStf]

Thanks for the info. About that crook, he pretends the giant company Zoolz-Cloud to be one of his client :-o

About security assessment, I don't think it's made at each update/release, cost too much money.

I just read an open source team get enough money ~100,000$ via kickstarter to evaluate their app, forgot which one.

Even that, if one uses the same technics as malware, checking for Anti virus, virtual machine, IP... before acting It's an ever lost and endless battle.

[marcus-cr]

Neither IPinator nor Reviewster seem credible and trustworthy.

"IPinator.com does not condone the use of our service to facilitate copyright infringement. We respect and abide by U.S. copyright laws including the requirements of the DMCA and rely on our users to do the same." ... "Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others." ... "That being said, IPinator.com will do its best to assist copyright owners and their agents that report copyright infringement by a user that is using our services to the extent we can." (http://ipinator.com/dmca.html) - Revised 7/2015

[TraderStf]

Crazy... Stackcommerce makes/allows a huge one email campaign with just these 2 craps even after I have warn them 3+ months ago...

[TraderStf]

Seems the ad is now correct and clear, just 1y.