A few weeks ago we covered a security flaw which allowed attackers to uncover the real IP-addresses of VPN users, if their providers allow forwarding on their network.
The news was picked up widely as it affected millions of users. However, it is just one of the many possible exploits VPN users are facing.
This week another issue was highlighted by ProstoVPN. This “vulnerability” affects both users with a direct connection and those with routers that have UPnP port forwarding enabled.
The issue boils down to a rather basic network routing feature where UDP listening software (e.g. torrent clients) respond to packets that are sent to the user’s ISP IP-address, through the VPN interface.
This means that a potential attacker can link a VPN IP-address to a user’s ISP IP-address.
The issue can affect users on all operating systems and is not always easy to fix on the user end. VPN providers with custom software can address it, but with the standard OpenVPN software users have to take action themselves.
While the scope of the issue is large, as many users and providers have yet to address the issue, it requires quite a bit of effort to carry out an attack. It basically requires the attacker to send UDP packets to the entire Internet.
In addition, there’s the possibility of false positives which means that it’s harder to pinpoint the exact ISP IP-address. With this in mind, it seems unlikely that monitoring companies will attempt to expose every BitTorrent user with a VPN.
ProstoVPN informs TorrentFreak that they alerted 11 providers, and two confirmed that they have fixed the issue with a software update.
“Information about this ‘feature’ was sent to 11 VPN providers and only five of them replied: Private Internet Access and Perfect Privacy have released updated software which blocks incoming connections.”
Not all providers were equally responsive and one suggested that the issue should be addressed by the users. There is some truth to that, but the same provider does protect its users against similar problems on the user-side, such as DNS, IPv6 and WebRTC leaks.
While there’s no need for outright panic, it is a good development that these type of problems are being highlighted. It prompts VPN providers to take action and users to remain vigilant.
That said, it also shows that 100% anonymity is pretty much impossible.
Update: TorGuard informs TF that they were one of the notified VPN providers and that they’ve addressed the issue.
Update: CyberGhost tells TF that their Windows and Mac app are not affected by this issue. The issue was fixed two years ago.