SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
30 Nov 2015

Port Fail VPN security flaw exposes your true IP address

A vulnerability discovered in protocols used by virtual private networks (VPNs) allows attackers to expose the true IP addresses of intended victims.

In a security advisory posted this week by VPN provider Perfect Privacy, the company says that the flaw, dubbed "Port Fail," affects VPN providers which offer port forwarding and have no protection against IP leaks.

VPNs are used worldwide by the privacy conscious and to circumvent geolocation-based content restrictions by disguising the true location of a person. VPNs are also a way to bypass censorship in countries that rule Internet access with an iron fist. The use of VPNs has also increased post-Snowden as more of us are now concerned about who could be tracking our online activity. Naturally, a security flaw which leaves our true IP addresses open for all to see defeats the purpose of VPNs, and the vulnerability exposed by Perfect Privacy could prove dangerous for VPN providers which are not aware of the vulnerability.

The VPN provider, which has protected its networks against an attack leveraging the flaw, says there are several steps to execute a successful exploit. An attacker needs to have an active account with the same VPN provider as the victim, and must also know the victim's VPN exit IP address, obtainable through torrent clients or by enticing victims to visit a malicious page, and must set up port forwarding. It is irrelevant whether the victim also has port forwarding -- which reroutes traffic to different addresses -- active or not.

The hacker then connects to the same server gateway as the victim, activates port forwarding and waits until the victim visits a malicious website address -- where their true IP can be scraped. "The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address as this is required for the VPN connection to work," the company says.

"If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control." According to Perfect Privacy, due to the nature of the attack, all VPN protocols -- such as IPSec, OpenVPN and PPTP -- are affected, as well as all operating systems.

The VPN provider tested the vulnerability with nine VPN providers which offer port forwarding. In total, five were vulnerable, including Private Internet Access (PIA), Ovpn.to and nVPN, which were notified before public disclosure and have fixed the issue. However, Perfect Privacy suspects far more firms are affected. PIA awarded Perfect Privacy a bug bounty of $5,000 for the disclosure.

Tags:
information leaks Port Fail
Source:
ZDNet
2118
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015