Users’ real IP addresses have been exposed by some VPN service providers that offer port forwarding, experts warned on Thursday.
According to VPN company Perfect Privacy, five of nine tested service providers exposed their users’ real IP address, but others might be affected as well.
Port forwarding is a feature that allows VPN users to run a server or an application that needs to be reachable from the Internet. The problem, says Perfect Privacy, is in the way some service providers have implemented the port forwarding feature.
The vulnerability, dubbed “Port Fail” by Perfect Privacy, can be exploited by an attacker who has an account on the same VPN service as the targeted user. For the attack to work, the attacker needs to know the victim’s VPN exit address, and set up port forwarding. It’s worth pointing out that only the attacker needs to have port forwarding enabled, not the victim.
Experts noted that the exit IP can be obtained via IRC or Torrent clients, or by getting the targeted user to visit a specially crafted website.
The attacker connects to the same server as the victim, enables port forwarding on it, and tricks the target into accessing the server on the designated port. A malicious actor could trick the victim into connecting to their port by embedding a link into an innocent-looking image.
“The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work,” Perfect Privacy explained. “If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.”
Developer and penetration tester Darren Martyn published a blog post on Thursday describing an attack scenario against Torrent users. The expert has pointed out that an attack exploiting the Port Fail vulnerability is not difficult to pull off and it doesn’t require advanced capabilities.
“I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability,” Martyn said.
Perfect Privacy says the vulnerability affects all operating systems and all VPN protocols, including the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), and OpenVPN.
Affected service providers have been notified and given time to address the flaw before its details were disclosed. Perfect Privacy has not named the affected vendors, but TorrentFreak has learned that the list of impacted VPN firms that quickly patched the security hole includes Ovpn.to, Private Internet Access (PIA) and nVPN.
Perfect Privacy has provided some recommendations on how to address the Port Fail issue.
Related Reading: Chinese VPN Used by APT Actors Relies on Hacked Servers

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
