Updated May 13, 2020, with an explanation from VPNpro.

Two prominent VPN services may have been hacked by a malicious software update, researchers at news site VPNpro have discovered. If you were using one of them, your computer could have been completely taken over by almost any type of malware without you realizing it.

Two VPN services, Betternet and PrivateVPN, have since fixed the flaw. Before that, however, it was possible to infect Betternet and PrivateVPN client software on Windows PCs with fake software updates downloaded via a man-in-the-middle attack.

"Rather than protecting users' data, PrivateVPN and Betternet overlooked important security aspects that would allow malicious actors to steal that data or commit even more nefarious acts," the VPNpro report states.

VPNpro researchers examined 20 widely used VPN services: Betternet, CyberGhost, ExpressVPN, Hide.me, HMA (Hide My Ass), Hola VPN, Hotspot Shield, IPVanish, Ivacy, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, TorGuard, TunnelBear, TurboVPN, SurfShark, VyprVPN, Windscribe.

There were no problems with the 14 VPN services. However, it was possible to intercept client-server communications for six VPN services, including Hotspot Shield and Hide.me. However, neither of these two pieces of software actually connected to the VPNpro proof-of-concept malicious servers.

Four of the services' client software did connect to VPNpro's malicious servers. Two of them, CyberGhost and TorGuard, did not download updates to the malicious software installed by VPNpro.

Betternet and PrivateVPN both downloaded; Betternet's client software did not automatically install malicious updates and encouraged users to do so. (The PrivateVPN client automatically installed the update.

The described attack was not purely academic or confined to a laboratory environment.

"Let's say you are connecting to free Wi-Fi in a cafe or at the airport. Before you connect to the Internet, you connect to a VPN." Then you receive a notification to install recent updates to your VPN tool.

"Of course, it's important to keep your software up to date, so you do," VPNpro said, adding that doing so could install ransomware, spyware, or virtually any kind of malware on your computer.

The best way to avoid such attacks is to avoid downloading software updates from untrusted or open Wi-Fi networks, VPNpro said. It is all too easy for pranksters and criminals to set up malicious Wi-Fi hotspots with innocuous names like "Starbucks Wi-Fi" or "AT&T Free Hotspot."

And of course, no matter how malware gets into your computer, running the best anti-virus program will help you avoid most malware attacks.

After receiving blowback from some VPN providers that fell into the "intercepted" but not completely hacked category, VPNpro added the following paragraph to its initial report.

If the VPN responded "Yes" to the question "Can we intercept the connection.", this means that the VPN software did not add certificate pinning or similar procedures that would prevent interception of communications with the update network request This means that the VPN software did not have the ability to pin certificates or intercept communications with renewal network requests. As a result, 6 VPNs were able to intercept connections, while 14 VPNs had proper certificate pinning in place.

In general, some readers mistakenly believe that "intercepting communications" means intercepting communications between the user and the VPN server, when in fact our study is about updates and client endpoints, not touching VPN connections.

If a VPN is "connected while being intercepted? This means that the VPN software established a connection to the VPN server during the malicious connection. If the answer is "No." it means that the connection was not made. In our tests, 4 of the top 20 VPNs established this connection and 16 did not.

However, since our POC was based on pushing fake updates through apps and these VPNs (CyberGhost, Hotspot Shield, Hide Me, TorGuard) did not accept them, we did not consider this a vulnerability We did not consider it a vulnerability.