This flaw uncovers VPN user's true IP address

Just because you're hiding behind a VPN (virtual private network), it doesn't mean your real IP address cannot be traced. Those are the results summarised in a report by security firm Perfect Privacy, which says that it has found a vulnerability "in a number of providers”.

The flaw, described as “port fail”, affects virtual private network providers which offer port forwarding and do not have appropriate protection against the vulnerability.

“This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up,” it says in the report. After that, the attacker has to connect to the same server as the victim and have it click a link to a site which is under the attacker's control.

Not an easy task, truth be told.

But if the attacker pulls this off, he can find out the victim’s true IP address.This affects all VPN protocols across all operating systems, Perfect Privacy says. The security firm has also given ways to mitigate the problem. Affected VPN providers should implement one of the following:

  • Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
  • On Client connect set server side firewall rule to block access from Client real IP to portforwardings that are not his own.

The vulnerability has sparked conversations over the (ab)use of the flaw. According to Tech Radar, speculations are already running rampant whether movie and music industry trade bodies could have been using this vulnerability to track down the IP addresses of pirates.