Security experts at the VPN provider Perfect Privacy discovered a new vulnerability dubbed Port Fail which affect all VPN (Virtual Private Network) protocols and operating systems. An attacker can exploit the Port Fail flaw to reveal the real IP-addresses of VPN users, including BitTorrent users.
Experts at Perfect Privacy tested nine VPN providers out of which five were found to be vulnerable to the Port fail flaw, the providers Private Internet Access (PIA), Ovpn.to and nVPN have fixed the issue before publication.
“We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. Port Fail affects VPN providers that offer port forwarding and have no protection against this specific attack.” Perfect Privacy wrote in a blog post on Thursday.
“The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work,” continues the post.
The attack works also against BitTorrent users and in this attack scenario there is no need for the attacker to redirect the victim to their page, the attacker only with the activated port forwarding for the default BitTorrent port can discover the real IP-address of a VPN user that share the same network.
The VPN affected by the vulnerability were already alerted by the company, but there is the risk that many other providers suffer the issue.
“other VPN providers may be vulnerable to this attack as we could not possibly test all.” states Perfect Privacy.
I suggest you giving a look to a blog post published by the penetration tester Darren Martyn describing the Port Fail attack scenario against Torrent users.
“I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute Torrent users in the future, so it is probably best to double check that the VPN provider you are using does not suffer this vulnerability,” explained Martyn said.
(Security Affairs – VPN, Port Fail)