We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. “Port Fail” affects VPN providers that offer port forwarding and have no protection against this specific attack. Perfect Privacy users are protected from this attack.
This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up.
We have tested this with nine prominent VPN providers that offer port forwarding. Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication. However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers.
The attacker needs to meet the following requirements:
The IP leak can then be triggered as follows:
The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work. If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.
Also note that due to the nature of this attack all VPN protocols (IPsec, OpenVPN, PPTP, etc.) and all operating systems are affected.
Affected VPN providers should implement one of the following: