Virtual private networks (VPNs) are supposed to help users protect their online privacy. VPN services obfuscate the user’s real IP address by routing traffic through other international servers. There are plenty of online companies who offer free or paid access to VPN subscriptions that many users rely on to avoid geofences (read: access Netflix U.S. content from anywhere in the world), download pirated content or just to simply mask their online activity to enhance privacy protection.
However, a discovery has revealed that VPN services aren’t as secure as you’d think, as a huge security flaw can apparently expose the real IP address of their users.
As long as an attacker and a regular VPN user employ the same service, the trick can be exploited. The IP address of the victim can be discovered by forwarding traffic on a particular port.
From the sounds of it, the attacker has to know what he or she is doing to actually hunt down a target’s IP address. In other words, this isn’t a security issue that regular VPN users can take advantage of by themselves. Crucially, the attacker has to trick the user into clicking on certain content for the trick to work.
“Affected are VPN providers that offer port forwarding and have no protection against this specific attack,” Perfect Privacy said, and the flaw affects all VPN protocols across any operating system.
Some VPN providers have already taken action to patch the security issue, and it’s likely that others will also fix the problem in future updates.