AtlasVPN builders are engaged on a patch for an IP leak vulnerability whose particulars have been made public by a researcher who determined to take the complete disclosure route after accountable disclosure makes an attempt have been ignored.
The researcher, who apparently desires to stay nameless, shared the main points on the Full Disclosure mailing record and on Reddit, claiming that he had unsuccessfully tried to contact AtlasVPN assist in an effort to discover a security contact or an official channel for reporting the vulnerability.
The security gap impacts the AtlasVPN Linux consumer and it may be exploited by luring the focused consumer to an internet site internet hosting the exploit code.
The exploit causes AtlasVPN to disconnect, which ends up in the consumer’s actual IP handle being leaked to the attacker’s web site.
“The AtlasVPN Linux Shopper consists of two elements. A daemon (atlasvpnd) that manages the connections and a consumer (atlasvpn) that the consumer controls to attach, disconnect and record companies. The consumer doesn’t join by way of a neighborhood socket or every other safe means however as a substitute it opens an API on localhost on port 8076,” the researcher defined.
“It doesn’t have ANY authentication. This port could be accessed by ANY program working on the pc, together with the browser. A malicious javascript on ANY web site can due to this fact craft a request to that port and disconnect the VPN,” the researcher added.
The exploit code has been made public and it’s not troublesome to make use of for malicious functions. An attacker merely must add it to a website they management.
After the findings have been made public and AtlasVPN was contacted for remark by information.killnetswitch, the corporate apologized for its gradual response and promised to enhance its vulnerability reporting course of.
AtlasVPN advised information.killnetswitch in an emailed assertion that it does take security and consumer privateness critically and it’s actively engaged on a patch. Impacted customers can be prompted to replace their Linux app to the newest model as quickly because the repair turns into accessible.
“The vulnerability impacts Atlas VPN Linux consumer model 1.0.3. Because the researcher acknowledged, as a result of vulnerability, the applying and, therefore, encrypted site visitors between a consumer and the VPN gateway could be disconnected by a malicious actor. This might result in the consumer’s IP handle disclosure,” AtlasVPN stated.
“We enormously admire the cybersecurity researchers’ very important position in figuring out and addressing security flaws in programs, which helps safeguard towards potential cyberattacks, and we thank them for bringing this vulnerability to our consideration. We’ll implement extra security checks within the improvement course of to keep away from such vulnerabilities sooner or later. Ought to anybody come throughout every other potential threats associated to our service, please contact us by way of security(at)atlasvpn.com,” it added.
