December 1, 2015 By Jaikumar Vijayan 3 min read

People using virtual private network (VPN) services to mask their IP addresses when accessing the Internet might want to pay attention to a newly discovered vulnerability thought to affect many VPN providers.

The so-called Port Fail vulnerability enables attackers to unmask the real IP address of someone using a VPN service to browse the Internet, service provider Perfect Privacy warned in an alert issued Nov. 26. The vulnerability has to do with the way many VPN providers implement port forwarding services. It affects all operating systems and VPN protocols, including OpenVPN, IPSec and PPTP.

Potentially Widespread Vulnerability

According to the alert, five out of nine prominent VPN service providers that Perfect Privacy reviewed allowed attackers to gather the real IP addresses of people using their services. Others are likely vulnerable to the attack as well, the company said.

Port forwarding is a technique for directing network connections to specific devices behind a network router. It is needed when a resource on the Internet needs to connect directly with a computer or server behind a router or a network firewall. For instance, an individual running a game server behind a router might want to use port forwarding to enable other players to connect to the server via a specific port.

The problem, according to Perfect Privacy, is that many VPN service providers who offer port forwarding do so in a manner that lets an attacker unmask the IP addresses of those using the service.

Easy to Execute and Target IP Addresses

In order to unmask a victim’s IP address, an attacker would first need an account with the VPN service provider. The attacker would also need to find a way to get the victim’s exit IP address — for instance, by luring the victim to a website controlled by the attacker or via Internet relay chat.

To carry out an attack, cybercriminals then set up port forwarding on the same VPN server that the victim is on and trick the victim into accessing a specific port on the server.

“If another user [the attacker] has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” Perfect Privacy said.

By getting a victim to click on an image file, for example, an attacker that has enabled port forwarding would be able to see the real IP address of the victim since users need their real IP address in order to connect, the company said.

All five VPN service providers who were found to be vulnerable to this issue were informed of the problem so they could address it before the vulnerability was publicly released.

Serious Privacy Risk

People who use VPN services typically do so for security and privacy reasons, so news of a vulnerability that undermines the anonymity users have come to expect from such services is a big deal. Darren Martyn, a developer and penetration tester, described Port Fail as a potentially critical privacy risk — especially for people who use VPN services to cloak their BitTorrent downloads.

In a blog post, Martyn outlined a sample attack showing how someone could unmask Torrent users by essentially bulk registering accounts on vulnerable VPNs and enabling port forwarding. He described his attack as being easy to pull of by anyone with the budget to buy VPN accounts with multiple service providers. Copyright litigation firms in particular may find the Port Fail vulnerability a good way to go after BitTorrent users, he said.

VPN providers won’t be going away, but users may have to alter practices to cover their tracks and remain aware of security vulnerabilities. Similarly, providers will need to patch flaws immediately to prevent cybercrime from affecting their users.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today