VPN flaw could expose real IP address to hackers
Bug could endanger privacy of VPN users
A flaw in the protocols used by virtual private networks has been discovered. The bug could enable hackers to expose the real IP address if a victim. The issue could pose a huge privacy risk.
According to VPN provider Perfect Privacy, the flaw, dubbed "Port Fail", affects VPN services providing port forwarding. The flaw leaves open a victim's true IP address open for all to see, defeating the purpose of a VPN.
To mount an attack, the hacker must know the victim's VPN exit IP address. In order to get this, a hacker need to trick users into opening a specially-crafted file. The hacker has to have port forwarding enabled but the victim doesn't have to have it activated.
The hacker would also have to be on the same VPN network and lure the victim into connecting to a resource controlled by the miscreant. The firm said that the leak affects all users.
"The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work," said the firm on a blog post.
The company tested nine VPN providers and found five to be vulnerable to this attack. It said it had notified those providers.
The firm said that in order to mitigate attacks, VPN firm should implement firewall rules at the VPN server side in order to block access to forwarded ports from users' real IP address.
Penetration tester Darren Martyn said in a blog post that the flaw could be used by media companies to unmask BitTorrent users downloading movies or music.
"I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability. If they do, notify them, and make sure they fix it," he said.
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now