Researchers discover a gaping hole in VPNs which exposes real IP addresses with ease
VPN users around the world risk disclosing their real IPs to public if a newly discovered flaw is exploited by authorities, censorship agencies, hackers and cyber criminals. Researchers from a VPN provider, Perfect Privacy have discovered a previously unknown critical flaw which can expose the real IP-addresses of VPN users with relative ease.
According to Perfect Privacy, this flaw affects all VPN protocols including OpenVPN and IPSec a and operating systems.
VPN usage has been rising around world due to censorship laws as well as users preference for anonymity which browsing the Internet. VPN providers are particularly popular among BitTorrent users, who by default broadcast their IP-addresses to hundreds of people when downloading a popular file.
The critical flaw uncovered by Perfect Privacy uses a simple port forwarding trick. If an attacker uses the same VPN as the victim the true IP-address can be exposed by forwarding traffic on a specific port.
“Affected are VPN providers that offer port forwarding and have no protection against this specific attack,” Perfect Privacy notes.
They have given a example of a potential hacker who can activate port forwarding for the default BitTorrent port. Once the hacker does so, all VPN users who are on the same network will expose their real IP-address. The potential hacker can also uses the same trick in case of VPN users using regular Internet. In this case however, the hacker will have to direct the VPN users to a page that connects to the forwarded port, thus exposing their real IPs according to Perfect Privacy.
Perfect Privacy has said that they have already informed all the VPN service providers last week, including, Private Internet Access (PIA), Ovpn.to and nVPN. Many of the VPN service providers have fixed the issue before Perfect Privacy made their findings public.
PIA informs TorrentFreak that their fix was relatively simple and was implemented swiftly after they were notified.
“We implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report,” PIA’s Amir Malik says.
However, many VPN service providers are still vulnerable to the flaw and users of these services risk their real IP being made public. In order to safeguard themselves from the flaw they should immediately ask their VPN service providers to fix the flaw by implementing additional firewall rules at the server level.