An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user’s real IP address simply by visiting a website, writes Bleeping Computer*.
Atlas VPN is a VPN product that offers a cost-effective solution based on WireGuard and supports all major operating systems.
In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076. This API offers a command-line interface for performing various actions, such as disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL.
However, this API does not perform any authentication, allowing anyone to issue commands to the CLI, even a website you are visiting. This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.
According to Jake Moore, Global Security Advisor at ESET, although only a proof of concept, this is a worrying discovery and could heavily damage customer confidence. Such findings can go on to impact trust in products but furthermore these sorts of discoveries can potentially damage trust in the eyes of others who may not be so familiar with VPN software and its usage.
It is vital to use a VPN to keep data secure and private from prying eyes but users will need to be reminded this is very rare as a good VPN will work tirelessly to protect the user’s IP address.Linux client users are therefore immediately required to take precautions such as using alternative VPN solution until a patch is released to remain secure and protected.
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 