December 1, 2015 By Jaikumar Vijayan 3 min read

People using virtual private network (VPN) services to mask their IP addresses when accessing the Internet might want to pay attention to a newly discovered vulnerability thought to affect many VPN providers.

The so-called Port Fail vulnerability enables attackers to unmask the real IP address of someone using a VPN service to browse the Internet, service provider Perfect Privacy warned in an alert issued Nov. 26. The vulnerability has to do with the way many VPN providers implement port forwarding services. It affects all operating systems and VPN protocols, including OpenVPN, IPSec and PPTP.

Potentially Widespread Vulnerability

According to the alert, five out of nine prominent VPN service providers that Perfect Privacy reviewed allowed attackers to gather the real IP addresses of people using their services. Others are likely vulnerable to the attack as well, the company said.

Port forwarding is a technique for directing network connections to specific devices behind a network router. It is needed when a resource on the Internet needs to connect directly with a computer or server behind a router or a network firewall. For instance, an individual running a game server behind a router might want to use port forwarding to enable other players to connect to the server via a specific port.

The problem, according to Perfect Privacy, is that many VPN service providers who offer port forwarding do so in a manner that lets an attacker unmask the IP addresses of those using the service.

Easy to Execute and Target IP Addresses

In order to unmask a victim’s IP address, an attacker would first need an account with the VPN service provider. The attacker would also need to find a way to get the victim’s exit IP address — for instance, by luring the victim to a website controlled by the attacker or via Internet relay chat.

To carry out an attack, cybercriminals then set up port forwarding on the same VPN server that the victim is on and trick the victim into accessing a specific port on the server.

“If another user [the attacker] has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” Perfect Privacy said.

By getting a victim to click on an image file, for example, an attacker that has enabled port forwarding would be able to see the real IP address of the victim since users need their real IP address in order to connect, the company said.

All five VPN service providers who were found to be vulnerable to this issue were informed of the problem so they could address it before the vulnerability was publicly released.

Serious Privacy Risk

People who use VPN services typically do so for security and privacy reasons, so news of a vulnerability that undermines the anonymity users have come to expect from such services is a big deal. Darren Martyn, a developer and penetration tester, described Port Fail as a potentially critical privacy risk — especially for people who use VPN services to cloak their BitTorrent downloads.

In a blog post, Martyn outlined a sample attack showing how someone could unmask Torrent users by essentially bulk registering accounts on vulnerable VPNs and enabling port forwarding. He described his attack as being easy to pull of by anyone with the budget to buy VPN accounts with multiple service providers. Copyright litigation firms in particular may find the Port Fail vulnerability a good way to go after BitTorrent users, he said.

VPN providers won’t be going away, but users may have to alter practices to cover their tracks and remain aware of security vulnerabilities. Similarly, providers will need to patch flaws immediately to prevent cybercrime from affecting their users.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today