Perfect Privacy (PP) has discovered a serious security flaw that can reveal VPN (virtual private network) users' real IP addresses, and the issue can potentially affect all VPN protocols, such as IPSec, PPTP and OpenVPN, as well as operating systems.
A VPN is used to mask an individual's IP address, but according to PP, it uncovered a vulnerability that can be circumvented without much difficulty.
— Perfect Privacy (@perfectprivacy) November 26, 2015
The issue involves a port-forwarding trick, where an attacker on the same VPN as the victim can forward traffic on a particular port, exposing the latter's real IP address. Regardless of whether or not the victim has activated port forwarding or not, he remains vulnerable to the attacker's intrusion.
"We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. 'Port Fail' affects VPN providers that offer port forwarding and have no protection against this specific attack," the VPN provider says, emphasizing that "Perfect Privacy users are protected from this attack."
To carry out an attack, the attacker has to have port forwarding activated for his account on the same network as the victim. He will then have to somehow get the victim to visit a link that leads the traffic to a port he controls.
PP has tested this on notable VPN providers, where five out of nine were vulnerable to the attack. The VPN provider notified them before disclosing the danger publicly.
After being alerted of the problem, Private Internet Access (PIA) tells TorrentFreak that it carried out a simple fix immediately.
"We implemented firewall rules at the VPN server level to block access to forwarded ports from clients' real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report," Amir Malik of PIA says.
As a result, PIA was grateful to PP for responsibly informing other VPN providers before making the issue public, rewarding PP $5,000 as part of its Whitehat Alert Security Program.
PP has only tested the vulnerability on several, not all, VPN providers, which means that there are likely still some of them that need to implement a fix for this security flaw as soon as possible.