December 1, 2015 By Jaikumar Vijayan 3 min read

People using virtual private network (VPN) services to mask their IP addresses when accessing the Internet might want to pay attention to a newly discovered vulnerability thought to affect many VPN providers.

The so-called Port Fail vulnerability enables attackers to unmask the real IP address of someone using a VPN service to browse the Internet, service provider Perfect Privacy warned in an alert issued Nov. 26. The vulnerability has to do with the way many VPN providers implement port forwarding services. It affects all operating systems and VPN protocols, including OpenVPN, IPSec and PPTP.

Potentially Widespread Vulnerability

According to the alert, five out of nine prominent VPN service providers that Perfect Privacy reviewed allowed attackers to gather the real IP addresses of people using their services. Others are likely vulnerable to the attack as well, the company said.

Port forwarding is a technique for directing network connections to specific devices behind a network router. It is needed when a resource on the Internet needs to connect directly with a computer or server behind a router or a network firewall. For instance, an individual running a game server behind a router might want to use port forwarding to enable other players to connect to the server via a specific port.

The problem, according to Perfect Privacy, is that many VPN service providers who offer port forwarding do so in a manner that lets an attacker unmask the IP addresses of those using the service.

Easy to Execute and Target IP Addresses

In order to unmask a victim’s IP address, an attacker would first need an account with the VPN service provider. The attacker would also need to find a way to get the victim’s exit IP address — for instance, by luring the victim to a website controlled by the attacker or via Internet relay chat.

To carry out an attack, cybercriminals then set up port forwarding on the same VPN server that the victim is on and trick the victim into accessing a specific port on the server.

“If another user [the attacker] has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” Perfect Privacy said.

By getting a victim to click on an image file, for example, an attacker that has enabled port forwarding would be able to see the real IP address of the victim since users need their real IP address in order to connect, the company said.

All five VPN service providers who were found to be vulnerable to this issue were informed of the problem so they could address it before the vulnerability was publicly released.

Serious Privacy Risk

People who use VPN services typically do so for security and privacy reasons, so news of a vulnerability that undermines the anonymity users have come to expect from such services is a big deal. Darren Martyn, a developer and penetration tester, described Port Fail as a potentially critical privacy risk — especially for people who use VPN services to cloak their BitTorrent downloads.

In a blog post, Martyn outlined a sample attack showing how someone could unmask Torrent users by essentially bulk registering accounts on vulnerable VPNs and enabling port forwarding. He described his attack as being easy to pull of by anyone with the budget to buy VPN accounts with multiple service providers. Copyright litigation firms in particular may find the Port Fail vulnerability a good way to go after BitTorrent users, he said.

VPN providers won’t be going away, but users may have to alter practices to cover their tracks and remain aware of security vulnerabilities. Similarly, providers will need to patch flaws immediately to prevent cybercrime from affecting their users.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today