Privacy Vulnerability Exposes VPN Users' Real IP Addresses

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

Bigger problems

[ilsaloving]

The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.

So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

Re: Damn people are getting dumb

[RubberDogBone]

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records. And then VPN from your home or whatever into that seed box. The box runs your torrents for you. The only traffic your IP sees is the encrypted transfers of completed files between you and the seed box. NOT VPN'd torrents.

This is of course not foolproof but it adds a nice layer between your own IP and the infringing activity. It also helps if you are on a bandwidth capped account as your connection doesn't have to support all the torrent traffic. And for cost, a seed box with VPN is not a lot more than a VPN alone. So it's not a big deal.

Well, a lot of people use vpns to hide their torrenting, and IP addresses are how copyright trolls find you and send you letters, so it kinda is an issue if you're paying for a VPN to hide your torrenting, and thus not get caught

Is that a secret?

[Marc_Hawke]

I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)

No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.

Re: Damn people are getting dumb

[dotancohen]

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records.

Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them. Seriously, I use a VPN and I use bittorrent for legitimate purposes, and you are ruining my ability to use my tools responsibly.

Just like the idiots that shine laser pointers at landing airplanes so now I cannot use a laser pointer to responsibly teach my daughters astronomy, you are abusing and ruining a tool for nothing of value. If you are so addicted to movies that you cannot even afford to pay for your habit, then you need counseling.

Re: Damn people are getting dumb

[Linux+Freak]

What about the many, many movies that never actually get released where I live (likely 20% or more never get released here, as a way of "protecting" the domestic movie producing market here)? Oh, I get it, you want me to wait until they are released on DVD and have me import them, right? Too bad about region encoding, apparently I am a "thief" for wanting to buy & watch DVD's in a different region.

I am happy to pay for content, but don't make it impossible to do so and I'll stop circumventing. Hell, the money I pay for a VPN could go to the content provider instead.