Atlas VPN’s Critical Flaw: Zero-Day Leak of User Real IP Addresses
An unidentified threat actor has uncovered a zero-day vulnerability affecting the Linux client of Atlas VPN, a popular VPN service known for its cost-effective solution based on WireGuard and compatibility with major operating systems. This vulnerability has significant implications as it enables the exposure of a user’s real IP address with alarming simplicity—merely by visiting a website.
Detailed in a proof-of-concept (PoC) exploit shared on Reddit, this security flaw revolves around Atlas VPN’s Linux client, specifically version 1.0.3. The vulnerability lies in an API endpoint that listens on localhost (127.0.0.1) via port 8076. This API provides a command-line interface (CLI) for various actions, including disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL.
The critical issue here is that this API lacks any form of authentication, essentially allowing anyone, including a website you might be visiting, to issue commands to the CLI. This presents a severe privacy breach for Atlas VPN users, as it reveals their true IP addresses.
The PoC exploit functions by creating a concealed form automatically submitted via JavaScript to connect to the http://127.0.0.1:8076/connection/stop API endpoint URL. Accessing this endpoint terminates active Atlas VPN sessions that are responsible for hiding a user’s IP address. Once the VPN connection is severed, the PoC proceeds to connect to the api.ipify.org URL to record the visitor’s actual IP address.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
This revelation has significant consequences, essentially nullifying one of the primary reasons for using a VPN—protecting one’s identity and location. Users are left vulnerable to tracking, compromising their privacy and security.
Amazon cybersecurity engineer Chris Partridge tested and confirmed the exploit’s effectiveness. His findings underline the severity of the situation. The exploit bypasses existing CORS (Cross-Origin Resource Sharing) protections on web browsers, as the requests are initiated as form submissions, a category exempt from CORS due to legacy reasons. This clever tactic allows websites to access the Atlas VPN API endpoint without triggering CORS safeguards.
However, the response from the form submission is inconsequential; what matters is the access it grants to the URL for disconnecting the Atlas VPN connection in Linux.
Atlas VPN was alerted to this issue four days after the disclosure, following the Reddit user’s efforts to contact them, which initially went unanswered. Although the company lacked a bug bounty program, they have since taken the matter seriously. Atlas VPN issued an apology to the reporter and committed to releasing a fix for its Linux client without delay. Users will receive notifications once the update is available.
Trending: Recon Tool: Dirhunt
Atlas spokesperson response
In response to these developments, a spokesperson for Atlas VPN acknowledged the gravity of the situation and reaffirmed their commitment to security and user privacy. They also expressed gratitude for the vital role played by cybersecurity researchers in identifying and addressing such vulnerabilities.
Given the critical nature of this zero-day vulnerability and the imminent threat it poses, Linux client users are strongly urged to take immediate precautions, including considering alternative VPN solutions. Privacy and security must remain paramount in an increasingly interconnected digital landscape.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com
Source: bleepingcomputer.com