People using virtual private network (VPN) services to mask their IP addresses when accessing the Internet might want to pay attention to a newly discovered vulnerability thought to affect many VPN providers.

The so-called Port Fail vulnerability enables attackers to unmask the real IP address of someone using a VPN service to browse the Internet, service provider Perfect Privacy warned in an alert issued Nov. 26. The vulnerability has to do with the way many VPN providers implement port forwarding services. It affects all operating systems and VPN protocols, including OpenVPN, IPSec and PPTP.

Potentially Widespread Vulnerability

According to the alert, five out of nine prominent VPN service providers that Perfect Privacy reviewed allowed attackers to gather the real IP addresses of people using their services. Others are likely vulnerable to the attack as well, the company said.

Port forwarding is a technique for directing network connections to specific devices behind a network router. It is needed when a resource on the Internet needs to connect directly with a computer or server behind a router or a network firewall. For instance, an individual running a game server behind a router might want to use port forwarding to enable other players to connect to the server via a specific port.

The problem, according to Perfect Privacy, is that many VPN service providers who offer port forwarding do so in a manner that lets an attacker unmask the IP addresses of those using the service.

Easy to Execute and Target IP Addresses

In order to unmask a victim’s IP address, an attacker would first need an account with the VPN service provider. The attacker would also need to find a way to get the victim’s exit IP address — for instance, by luring the victim to a website controlled by the attacker or via Internet relay chat.

To carry out an attack, cybercriminals then set up port forwarding on the same VPN server that the victim is on and trick the victim into accessing a specific port on the server.

“If another user [the attacker] has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” Perfect Privacy said.

By getting a victim to click on an image file, for example, an attacker that has enabled port forwarding would be able to see the real IP address of the victim since users need their real IP address in order to connect, the company said.

All five VPN service providers who were found to be vulnerable to this issue were informed of the problem so they could address it before the vulnerability was publicly released.

Serious Privacy Risk

People who use VPN services typically do so for security and privacy reasons, so news of a vulnerability that undermines the anonymity users have come to expect from such services is a big deal. Darren Martyn, a developer and penetration tester, described Port Fail as a potentially critical privacy risk — especially for people who use VPN services to cloak their BitTorrent downloads.

In a blog post, Martyn outlined a sample attack showing how someone could unmask Torrent users by essentially bulk registering accounts on vulnerable VPNs and enabling port forwarding. He described his attack as being easy to pull of by anyone with the budget to buy VPN accounts with multiple service providers. Copyright litigation firms in particular may find the Port Fail vulnerability a good way to go after BitTorrent users, he said.

VPN providers won’t be going away, but users may have to alter practices to cover their tracks and remain aware of security vulnerabilities. Similarly, providers will need to patch flaws immediately to prevent cybercrime from affecting their users.