A vulnerability discovered in protocols used by virtual private networks (VPNs) allows attackers to expose the true IP addresses of intended victims.
In a security advisory posted this week by VPN provider Perfect Privacy, the company says that the flaw, dubbed "Port Fail," affects VPN providers which offer port forwarding and have no protection against IP leaks.
VPNs are used worldwide by the privacy conscious and to circumvent geolocation-based content restrictions by disguising the true location of a person. VPNs are also a way to bypass censorship in countries that rule Internet access with an iron fist. The use of VPNs has also increased post-Snowden as more of us are now concerned about who could be tracking our online activity. Naturally, a security flaw which leaves our true IP addresses open for all to see defeats the purpose of VPNs, and the vulnerability exposed by Perfect Privacy could prove dangerous for VPN providers which are not aware of the vulnerability.
The VPN provider, which has protected its networks against an attack leveraging the flaw, says there are several steps to execute a successful exploit. An attacker needs to have an active account with the same VPN provider as the victim, and must also know the victim's VPN exit IP address, obtainable through torrent clients or by enticing victims to visit a malicious page, and must set up port forwarding. It is irrelevant whether the victim also has port forwarding -- which reroutes traffic to different addresses -- active or not.
The hacker then connects to the same server gateway as the victim, activates port forwarding and waits until the victim visits a malicious website address -- where their true IP can be scraped. "The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address as this is required for the VPN connection to work," the company says.
"If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control." According to Perfect Privacy, due to the nature of the attack, all VPN protocols -- such as IPSec, OpenVPN and PPTP -- are affected, as well as all operating systems.
The VPN provider tested the vulnerability with nine VPN providers which offer port forwarding. In total, five were vulnerable, including Private Internet Access (PIA), Ovpn.to and nVPN, which were notified before public disclosure and have fixed the issue. However, Perfect Privacy suspects far more firms are affected. PIA awarded Perfect Privacy a bug bounty of $5,000 for the disclosure.
