A Reddit user known as “Educational-Map-8145” has exposed a critical zero-day flaw affecting the Linux client of Atlas VPN, a popular virtual private network service.
The vulnerability, which impacts the latest version of the client (1.0.3), allows malicious websites to disconnect the VPN and reveal the user’s IP address, raising concerns about user privacy and security.
According to the Reddit post published last week, the vulnerability stems from an API endpoint within the Atlas VPN Linux Client that listens on localhost (127.0.0.1) through port 8076.
This API provides a command-line interface for various functions, including disconnecting a VPN session via a specific URL. Notably, this API lacks any form of authentication, making it susceptible to abuse by any program running on the user’s computer, including web browsers.
“Depending on the infrastructure setup, often a VPN sits at the perimeter, allowing access to internal and external networks,” explained Mayuresh Dani, manager of threat research at Qualys.
“Security solutions that are in line trust the incoming and outgoing traffic. Endpoint VPN clients are [...] on all devices today, increasing the attack surface. This positioning makes VPNs an attractive target for both external and internal threat actors.”
The exploit code, shared by the researcher, demonstrates the issue, enabling any website to trigger the VPN disconnection and subsequently leak the user’s home IP address.
As security experts warn of the risk, Atlas VPN users are advised to exercise caution when browsing the web until a patch or solution is provided to address this critical vulnerability.
“This vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing [CORS] protection would prevent it, but CORS is designed to prevent data theft and loading of outside resources,” commented Shawn Surber, senior director of technical account management at Tanium.
“In this scenario, the attack uses a simple command instead, which slips through the CORS gauntlet – and in this case, turns off the VPN, immediately exposing the user’s IP and therefore general location.”
Read more about VPN-focussed attacks: VPN and RDP Exploitation the Most Common Attack Technique
Despite the potential security risk, attempts to contact Atlas VPN’s support for responsible disclosure or information on a bug bounty program by Educational-Map-8145 have reportedly gone unanswered.
However, the company replied to Infosecurity's request for comment by saying they are aware of the vulnerability and have confirmed its authenticity.
"We’re actively working on fixing the vulnerability as soon as possible. Once the vulnerability is eliminated, users will receive a prompt to update the Linux app to the latest version. In the meantime, we informed our users to withhold from using the Atlas VPN Linux app until the vulnerability is fixed," Atlas VPN told Infosecurity in an email.
The company also said that it does not currently have a bug bounty program in place. Nevertheless, should anyone discover any potential threats or vulnerabilities associated with their service, they are encouraged to contact the company via security@atlasvpn.com.
UPDATE: This article was updated on 08/09/2023 to include Atlas VPN's comment.
Editorial image credit: Ralf Liebhold / Shutterstock.com