A few weeks ago we covered a security flaw which allowed attackers to uncover the real IP-addresses of VPN users if their providers enable forwarding on their network.
The news was picked up widely as it affected millions of users. However, it is just one of the many possible exploits VPN users are facing.
This week another issue was highlighted by ProstoVPN. This “vulnerability” affects both users with a direct connection and those with routers that have UPnP port forwarding enabled.
use vpn torrenting for online privacy
The issue boils down to an essential network routing feature where UDP listening software (e.g., torrent clients) respond to packets that are sent to the user’s ISP IP-address, through the VPN interface.
This means that a potential attacker can link a VPN IP-address to a user’s ISP IP-address.
The issue can affect users on all operating systems and is not always easy to fix on the user end. VPN providers with custom software can address it, but with the standard OpenVPN, software users have to take action themselves.
While the scope of the issue is significant, as many users and providers have yet to address the issue, it requires quite a bit of effort to carry out an attack. It requires the attacker to send UDP packets to the entire Internet.
Also, there’s the possibility of false positives which means that it’s harder to pinpoint the exact ISP IP-address. With this in mind, it seems unlikely that monitoring companies will attempt to expose every BitTorrent user with a VPN.
ProstoVPN informs TorrentFreak that they alerted 11 providers, and two confirmed that they had fixed the issue with a software update.
“Information about this ‘feature’ was sent to 11 VPN providers, and only five of them replied: Private Internet Access and Perfect Privacy have released updated software which blocks incoming connections.”
Not all providers were equally responsive, and one suggested that the issue should be addressed by the users. There is some truth to that, but the same provider does protect its users against similar problems on the user-side, such as DNS, IPv6 and WebRTC leaks.
While there’s no need for outright panic, it is a proper development that these type of problems are being highlighted. It prompts VPN providers to take action and users to remain vigilant.
That said, it also shows that 100% anonymity is pretty much impossible.
More details on the routing “feature” and its consequences are available in ProstoVPN’s article and the statements published by Perfect Privacy and Private Internet Access.
Update: TorGuard informs TF that they were one of the notified VPN providers and that they’ve addressed the issue.
Update: CyberGhost tells TF that their Windows and Mac app are not affected by this issue. The issue was fixed two years ago.