Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Port Forwarding Issue Exposes Real IP of VPN Users

Users’ real IP addresses have been exposed by some VPN service providers that offer port forwarding, experts warned on Thursday.

According to VPN company Perfect Privacy, five of nine tested service providers exposed their users’ real IP address, but others might be affected as well.

Users’ real IP addresses have been exposed by some VPN service providers that offer port forwarding, experts warned on Thursday.

According to VPN company Perfect Privacy, five of nine tested service providers exposed their users’ real IP address, but others might be affected as well.

Port forwarding is a feature that allows VPN users to run a server or an application that needs to be reachable from the Internet. The problem, says Perfect Privacy, is in the way some service providers have implemented the port forwarding feature.

The vulnerability, dubbed “Port Fail” by Perfect Privacy, can be exploited by an attacker who has an account on the same VPN service as the targeted user. For the attack to work, the attacker needs to know the victim’s VPN exit address, and set up port forwarding. It’s worth pointing out that only the attacker needs to have port forwarding enabled, not the victim.

Experts noted that the exit IP can be obtained via IRC or Torrent clients, or by getting the targeted user to visit a specially crafted website.

The attacker connects to the same server as the victim, enables port forwarding on it, and tricks the target into accessing the server on the designated port. A malicious actor could trick the victim into connecting to their port by embedding a link into an innocent-looking image.

“The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work,” Perfect Privacy explained. “If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.”

Developer and penetration tester Darren Martyn published a blog post on Thursday describing an attack scenario against Torrent users. The expert has pointed out that an attack exploiting the Port Fail vulnerability is not difficult to pull off and it doesn’t require advanced capabilities.

“I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability,” Martyn said.

Perfect Privacy says the vulnerability affects all operating systems and all VPN protocols, including the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), and OpenVPN.

Affected service providers have been notified and given time to address the flaw before its details were disclosed. Perfect Privacy has not named the affected vendors, but TorrentFreak has learned that the list of impacted VPN firms that quickly patched the security hole includes Ovpn.to, Private Internet Access (PIA) and nVPN.

Perfect Privacy has provided some recommendations on how to address the Port Fail issue.

Related Reading: Chinese VPN Used by APT Actors Relies on Hacked Servers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...