From helpnetsecurity.com
Several vulnerabilities that affect most VPN products out there can be exploited by attackers to read user traffic, steal user information, or even attack user devices, researchers have discovered.
“Our attacks are not computationally expensive, meaning anyone with the appropriate network access can perform them, and they are independent of the VPN protocol being used,” claim Nian Xue of New York University; Yashaswi Malla, Zihang Xia, and Christina Pöpper of New York University Abu Dhabi; and Mathy Vanhoef of KU Leuven University.
“Even if the victim is using another layer of encryption such as HTTPS, our attacks reveal which websites a user is visiting, which can be a significant privacy risk.”