AtlasVPN developers are working on a patch for an IP leak vulnerability whose details were made public by a researcher who decided to take the full disclosure route after responsible disclosure attempts were ignored.
The researcher, who apparently wants to remain anonymous, shared the details on the Full Disclosure mailing list and on Reddit, claiming that he had unsuccessfully attempted to contact AtlasVPN support in an effort to find a security contact or an official channel for reporting the vulnerability.
The security hole impacts the AtlasVPN Linux client and it can be exploited by luring the targeted user to a website hosting the exploit code.
The exploit causes AtlasVPN to disconnect, which results in the user’s real IP address being leaked to the attacker’s website.
“The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076,” the researcher explained.
“It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN,” the researcher added.
The exploit code has been made public and it’s not difficult to use for malicious purposes. An attacker simply needs to upload it to a site they control.
After the findings were made public and AtlasVPN was contacted for comment by SecurityWeek, the company apologized for its slow reaction and promised to improve its vulnerability reporting process.
AtlasVPN told SecurityWeek in an emailed statement that it does take security and user privacy seriously and it’s actively working on a patch. Impacted users will be prompted to update their Linux app to the latest version as soon as the fix becomes available.
“The vulnerability affects Atlas VPN Linux client version 1.0.3. As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. This could lead to the user’s IP address disclosure,” AtlasVPN said.
“We greatly appreciate the cybersecurity researchers’ vital role in identifying and addressing security flaws in systems, which helps safeguard against potential cyberattacks, and we thank them for bringing this vulnerability to our attention. We will implement more security checks in the development process to avoid such vulnerabilities in the future. Should anyone come across any other potential threats related to our service, please contact us via security(at)atlasvpn.com,” it added.
Update 09/18/2023: AtlasVPN developers told SecurityWeek that the vulnerability has been patched.
“As of September 18th, 2023, the vulnerability is no longer present on the Linux app since its latest version.
Following this resolution, we informed our users to update their applications to the fixed 1.1 version. Moreover, the Linux application is now available for download again on our website.
We are actively refining our internal communication processes and establishing a more structured vulnerability reporting mechanism. We are committed to ensuring that such oversights do not recur.”
Related: Is Enterprise VPN on Life Support or Ripe for Reinvention?
Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability
Related: In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities
