Perfect Privacy has discovered and posted about a potential attack vector on VPN service providers’ network that could be exploited by hackers or law enforcement agencies. “Port Fail”, if used by an attacker could result in the unmasking of the VPN user’s real IP address. The vulnerability point affects VPN service providers that offer the forwarding option and have no protection for this kind of specific attacks.
This IP leak is affecting all VPN users, however, the victim does not have to necessarily use port forwarding, only the attacker has to set it up.
According to the blog post, they have tested this vulnerability with nine different VPN providers, however, only 4 of them had the required protection for the attack. The other five has been notified by Perfect Privacy so they can fix the issue ASAP before someone is abusing it. They also state that other VPN service providers could be also vulnerable since they could not test all services.
Perfect Privacy made a list of the requirements and the specific IP leak. It goes by this quoting from their blog:
“The attacker needs to meet the following requirements:
– Has an active account at the same VPN provider as the victim