Researchers have identified a serious vulnerability affecting VPN providers with port-forwarding services that allows an attacker to obtain the real IP address of a user’s computer.
VPN service provider Perfect Privacy has published a post about its findings on its blog:
“We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim,” explains the company. “ ‘Port Fail’ affects VPN providers that offer port forwarding and have no protection against this specific attack.”
Perfect Privacy goes on to note that while its users are protected, this particular vulnerability affects all users of many other VPN services because only the attacker - not the victim - needs to enable port forwarding in order to exploit the bug.
In order to successfully unveil a victim’s IP address, the attacker must do three things:
- They must have an active account with the same VPN provider as the victim.
- The attacker must set up port forwarding.
- They must know the victim’s exit IP address.
This lattermost condition can be satisfied via IRC or torrent client. Alternatively, as noted by Jeremy Kirk of IT World, an attacker can trick a victim into visiting a malicious website (such as by embedding a hyperlinked image on a website), at which point they can then scrape the user’s IP.
Prior to the publication of its findings, Perfect Privacy tested the bug with nine prominent VPN providers, five of which proved to be vulnerable. These companies were subsequently contacted last week and given a chance to patch the flaw before Perfect Privacy made its research public.
One of those providers contacted was Private Internet Access (PIA), which has all ready patched the issue and stated that the fix was relatively simple and implemented shortly after it was notified.
PIA’s Amir Malik told Techworm what it had done to rectify the issue:
“We implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report.
PIA also paid Perfect Privacy $5,000 USD for discovering the flaw.
While Perfect Privacy tested “Port Fail” with a few other VPN provider services, not all providers were analyzed. In reality, there are hundreds of VPN service providers in operation, many of which offer port-forwarding services. This could mean that an untold number of users, including those of Bittorrent (see Darren Martyn’s analysis here), could be vulnerable to having their IP addresses exposed.
Going forward, affected VPNs should either have multiple IP addresses, allow incoming connections to ip1, and allow exit connections/have port forwardings on ip2-ipx, or they should create a server side firewall rule that blocks the client’s IP address from port forwardings that are not the client’s own.
In the meantime, concerned users might want to investigate whether their VPN provider offers port forwarding services and, if so, whether they have patched “Port Fail”. If not, direct them to Perfect Privacy’s research.
No one wants their IP address exposed to an attacker, so the more VPN providers who get on board with this patch, the better.