If you use a VPN (virtual private network) connection, you might not be as anonymous or secure as you thought, as reports have surfaced of a security flaw that allows a user’s real IP address to be pinpointed.
This news comes courtesy of a VPN provider by the name of Perfect Privacy (as spotted by the Register), although there are certainly caveats when it comes to tracing a real IP using the vulnerability.
The flaw is described as “port fail” and it affects virtual private network providers that offer port forwarding – if they have no protection implemented against this issue, of course.
An attacker using the same VPN as a potential victim simply needs to set up port forwarding (note that the victim doesn’t have to be using port forwarding), connect to the same server as the victim, and then trick the victim into clicking a link to a site which is under the attacker’s control.
The attacker will then be able to discover the real IP address of the victim.
This affects all VPN protocols across all operating systems, Perfect Privacy notes (assuming the VPN provider hasn’t taken the appropriate defensive measures, of course).
One suggested method of mitigation is as follows, Perfect Privacy suggests in its blog post on the matter: “On Client connect set server side firewall rule to block access from Client real IP to portforwardings that are not his own.”
You would hope that providers who are potentially in the firing line here will be quick to respond to this threat. Of course, user vigilance is also a factor in terms of not being lured to the attacker’s bait site (though as the Register notes, BitTorrent users are especially in danger should they use port forwarding as their default torrent client port, as then they don’t even need to be duped into visiting the malicious party’s website).
There is already speculation about whether movie and music industry trade bodies could have been using this vulnerability to track down the IP addresses of pirates.