Researchers from a virtual private network (VPN) provider, Perfect
Privacy discovered a gaping hole which can expose the real IP-address of VPN users
easily.
The flaw, dubbed "Port Fail," affects VPN
providers including those of BitTorrent users which offer port forwarding and
have no protection against IP leaks.
The issue, which affects all VPN protocols and operating
systems, was uncovered after altering several affected competitors to the
threat before making it public.
For the past several years, there has been a wider interest
in usage of VPN to bypass censorship in countries with stringent internet
access and to prefer anonymity with browsing, especially post-Snowden
revelation.
VPNs are used across the world by the privacy conscious people
and to circumvent geolocation-based content restrictions by disguising the true
location of a person.
The aim of using a VPN is to hide an ISP IP-address, but the
discovery showed that this can be easily bypassed on some providers by using a
port forwarding trick. If the attacker uses the same VPN as the user, the
IP-address can be exposed.
Perfect privacy tested the vulnerability with nine VPN
providers which offer port forwarding. Among them, five were vulnerable,
including Private Internet Access (PIA), Ovpn.to and VPN, which were notified
before public disclosure and have fixed the issue.
PIA awarded Perfect Privacy $5,000 for the disclosure.