A simple code snippet in a webpage could disconnect instances of AtlasVPN’s Linux Client, exposing a user’s IP address. The zero-day flaw was discovered and shared by a user on Reddit and the company is now working on a fix.
Update (Sept. 18): AtlasVPN has resolved the vulnerability. According to the company, users should update their AtlasVPN Linux Clients to the newest version.
AtlasVPN has a vulnerability in Linux clients that can be exploited by malicious users to obtain the user’s real IP address.
The potential use case of this flaw, however, is limited. It could only be implemented in malicious web servers by including a special HTML code to disconnect the VPN. A vulnerable user should then visit the website to get his AtlasVPN Linux client disconnected and his real IP address revealed.
“We're aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we’re actively working on fixing it as soon as possible. Once resolved, our users will receive a prompt to update their Linux app to the latest version,” Rūta Čižinauskaitė, Head of Communications at AtlasVPN, commented to Cybernews.
She admitted that, if exploited, the vulnerability could enable malicious actors to disconnect the Atlas VPN Linux client version 1.0.3. This would cause users to access the internet without VPN protection and could lead to the user’s IP address disclosure.
The vulnerability would not compromise any other user data beyond an IP address. The vulnerability is also limited to Linux clients only, having no impact on any other AtlasVPN apps. No Windows, Android, or iOS users, which comprise the majority of AtlasVPN customers, are affected.
“We greatly appreciate the cybersecurity researchers’ vital role in identifying and addressing security flaws in our systems, which helps safeguard against potential cyberattacks, and we thank them for bringing this vulnerability to our attention,” she added. "We will implement more security checks in the development process to avoid such vulnerabilities in the future."
The code provided by the Reddit user doesn’t have any other use cases, and it hasn’t been found to be used on the internet by malicious actors. Yet the risk should not be underestimated, as Linux is usually preferred by computer enthusiasts and privacy advocates, including cybersecurity researchers.
The code was shared by a disposable Reddit account dubbed Educational-Map-8145, with no other posts. The account was suspended at the time of writing.
The security analyst managed to repeat the results and shared his findings on Mastodon.
“The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default. What's hilarious is that it accepts commands without any authentication – so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN,” security engineer Chris Partridge shared.
A daemon is a service process that runs in the background on a computer without direct user interaction.
The Cybernews Research team was able to verify that the flaw could be exploited in malicious websites, yet the only damage would be the revealed IP address.
"Should anyone come across any other potential threats related to our service, please contact us via [email protected]," the company's spokesperson shared.
Your email address will not be published. Required fields are markedmarked