People using virtual private network (VPN) services to mask their IP addresses when accessing the Internet might want to pay attention to a newly discovered vulnerability thought to affect many VPN providers.

The so-called Port Fail vulnerability enables attackers to unmask the real IP address of someone using a VPN service to browse the Internet, service provider Perfect Privacy warned in an alert issued Nov. 26. The vulnerability has to do with the way many VPN providers implement port forwarding services. It affects all operating systems and VPN protocols, including OpenVPN, IPSec and PPTP.

Potentially Widespread Vulnerability

According to the alert, five out of nine prominent VPN service providers that Perfect Privacy reviewed allowed attackers to gather the real IP addresses of people using their services. Others are likely vulnerable to the attack as well, the company said.

Port forwarding is a technique for directing network connections to specific devices behind a network router. It is needed when a resource on the Internet needs to connect directly with a computer or server behind a router or a network firewall. For instance, an individual running a game server behind a router might want to use port forwarding to enable other players to connect to the server via a specific port.

The problem, according to Perfect Privacy, is that many VPN service providers who offer port forwarding do so in a manner that lets an attacker unmask the IP addresses of those using the service.

Easy to Execute and Target IP Addresses

In order to unmask a victim’s IP address, an attacker would first need an account with the VPN service provider. The attacker would also need to find a way to get the victim’s exit IP address — for instance, by luring the victim to a website controlled by the attacker or via Internet relay chat.

To carry out an attack, cybercriminals then set up port forwarding on the same VPN server that the victim is on and trick the victim into accessing a specific port on the server.

“If another user [the attacker] has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” Perfect Privacy said.

By getting a victim to click on an image file, for example, an attacker that has enabled port forwarding would be able to see the real IP address of the victim since users need their real IP address in order to connect, the company said.

All five VPN service providers who were found to be vulnerable to this issue were informed of the problem so they could address it before the vulnerability was publicly released.

Serious Privacy Risk

People who use VPN services typically do so for security and privacy reasons, so news of a vulnerability that undermines the anonymity users have come to expect from such services is a big deal. Darren Martyn, a developer and penetration tester, described Port Fail as a potentially critical privacy risk — especially for people who use VPN services to cloak their BitTorrent downloads.

In a blog post, Martyn outlined a sample attack showing how someone could unmask Torrent users by essentially bulk registering accounts on vulnerable VPNs and enabling port forwarding. He described his attack as being easy to pull of by anyone with the budget to buy VPN accounts with multiple service providers. Copyright litigation firms in particular may find the Port Fail vulnerability a good way to go after BitTorrent users, he said.

VPN providers won’t be going away, but users may have to alter practices to cover their tracks and remain aware of security vulnerabilities. Similarly, providers will need to patch flaws immediately to prevent cybercrime from affecting their users.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read