Privacy Vulnerability Exposes VPN Users' Real IP Addresses

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

Bigger problems

[ilsaloving]

The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.

So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

Is that a secret?

[Marc_Hawke]

I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)

No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.