If you use a VPN, beware of this anonymity killing security flaw
Uses port forwarding to reveal the real IP address
If you use a VPN (virtual private network) connection, you might not be as anonymous or secure as you thought, as reports have surfaced of a security flaw that allows a user's real IP address to be pinpointed.
This news comes courtesy of a VPN provider by the name of Perfect Privacy (as spotted by the Register), although there are certainly caveats when it comes to tracing a real IP using the vulnerability.
The flaw is described as "port fail" and it affects virtual private network providers that offer port forwarding – if they have no protection implemented against this issue, of course.
An attacker using the same VPN as a potential victim simply needs to set up port forwarding (note that the victim doesn't have to be using port forwarding), connect to the same server as the victim, and then trick the victim into clicking a link to a site which is under the attacker's control.
The attacker will then be able to discover the real IP address of the victim.
This affects all VPN protocols across all operating systems, Perfect Privacy notes (assuming the VPN provider hasn't taken the appropriate defensive measures, of course).
Mitigation measures
One suggested method of mitigation is as follows, Perfect Privacy suggests in its blog post on the matter: "On Client connect set server side firewall rule to block access from Client real IP to portforwardings that are not his own."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
You would hope that providers who are potentially in the firing line here will be quick to respond to this threat. Of course, user vigilance is also a factor in terms of not being lured to the attacker's bait site (though as the Register notes, BitTorrent users are especially in danger should they use port forwarding as their default torrent client port, as then they don't even need to be duped into visiting the malicious party's website).
There is already speculation about whether movie and music industry trade bodies could have been using this vulnerability to track down the IP addresses of pirates.
- Check out the best VPN
Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).