VPN flaw could expose real IP address to hackers

Bug could endanger privacy of VPN users

VPN

A flaw in the protocols used by virtual private networks has been discovered. The bug could enable hackers to expose the real IP address if a victim. The issue could pose a huge privacy risk.

According to VPN provider Perfect Privacy, the flaw, dubbed "Port Fail", affects VPN services providing port forwarding. The flaw leaves open a victim's true IP address open for all to see, defeating the purpose of a VPN.

Advertisement - Article continues below

To mount an attack, the hacker must know the victim's VPN exit IP address. In order to get this, a hacker need to trick users into opening a specially-crafted file. The hacker has to have port forwarding enabled but the victim doesn't have to have it activated.

The hacker would also have to be on the same VPN network and lure the victim into connecting to a resource controlled by the miscreant. The firm said that the leak affects all users.

"The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work," said the firm on a blog post.

The company tested nine VPN providers and found five to be vulnerable to this attack. It said it had notified those providers.

Advertisement
Advertisement - Article continues below

The firm said that in order to mitigate attacks, VPN firm should implement firewall rules at the VPN server side in order to block access to forwarded ports from users' real IP address.

Advertisement - Article continues below

Penetration tester Darren Martyn said in a blog post that the flaw could be used by media companies to unmask BitTorrent users downloading movies or music.

"I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability. If they do, notify them, and make sure they fix it," he said.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/ethical-hacking/355860/developer-scores-100000-bounty-from-apple-for-exposing-a-critical
ethical hacking

Developer scores $100,000 bounty from Apple for exposing a critical vulnerability

1 Jun 2020
Visit/security/hacking/355854/hackers-wreaking-havoc-on-googles-cloud-infrastructure
hacking

Hackers are wreaking havoc on Google’s Cloud infrastructure

1 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020