Port Forwarding Issue Exposes Real IP of VPN Users

Users’ real IP addresses have been exposed by some VPN service providers that offer port forwarding, experts warned on Thursday.

According to VPN company Perfect Privacy, five of nine tested service providers exposed their users’ real IP address, but others might be affected as well.

Port forwarding is a feature that allows VPN users to run a server or an application that needs to be reachable from the Internet. The problem, says Perfect Privacy, is in the way some service providers have implemented the port forwarding feature.

The vulnerability, dubbed “Port Fail” by Perfect Privacy, can be exploited by an attacker who has an account on the same VPN service as the targeted user. For the attack to work, the attacker needs to know the victim’s VPN exit address, and set up port forwarding. It’s worth pointing out that only the attacker needs to have port forwarding enabled, not the victim.

Experts noted that the exit IP can be obtained via IRC or Torrent clients, or by getting the targeted user to visit a specially crafted website.

The attacker connects to the same server as the victim, enables port forwarding on it, and tricks the target into accessing the server on the designated port. A malicious actor could trick the victim into connecting to their port by embedding a link into an innocent-looking image.

“The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work,” Perfect Privacy explained. “If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.”

Developer and penetration tester Darren Martyn published a blog post on Thursday describing an attack scenario against Torrent users. The expert has pointed out that an attack exploiting the Port Fail vulnerability is not difficult to pull off and it doesn’t require advanced capabilities.

“I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability,” Martyn said.

Perfect Privacy says the vulnerability affects all operating systems and all VPN protocols, including the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), and OpenVPN.

Affected service providers have been notified and given time to address the flaw before its details were disclosed. Perfect Privacy has not named the affected vendors, but TorrentFreak has learned that the list of impacted VPN firms that quickly patched the security hole includes Ovpn.to, Private Internet Access (PIA) and nVPN.

Perfect Privacy has provided some recommendations on how to address the Port Fail issue.

Related Reading: Chinese VPN Used by APT Actors Relies on Hacked Servers