A security researcher has recently disclosed an exploit code for the Linux version of AtlasVPN, a popular virtual private network (VPN) service owned by NordVPN. This exploit code, when executed, can potentially disconnect a user from the VPN and reveal their IP address by tricking them into visiting a malicious website.
AtlasVPN, despite being a relatively young service with only four years of existence, boasts a user base of over 6 million people around the world. However, this security vulnerability in its Linux client raises concerns about the privacy and security of its users.
The exploit code was posted on the Full Disclosure mailing list and Reddit by an unidentified researcher using the username “icudar.” The researcher claims to have discovered this vulnerability in AtlasVPN’s Linux client and attempted to contact the vendor about the issue. However, after receiving no response, they decided to publicly disclose the exploit code.
The issue with AtlasVPN’s Linux client lies in the lack of proper authentication. Instead of utilizing secure methods, the client opens an API on localhost on port 8076 without any authentication measures in place. This means that any program running on the same computer, including a web browser, can access this port and exploit the vulnerability.
“The entire purpose of a VPN is to mask users’ information, so this is a significant problem for users,” explains Shawn Surber, senior director of technical account management at Tanium, a leading endpoint security company.
The researcher behind the disclosure points out that the vulnerability could be mitigated with proper Cross-Origin Resource Sharing (CORS) protection. CORS is a mechanism that allows one domain to request resources from another securely. However, in this case, the exploit easily bypasses CORS by sending a specific type of request that the protection mechanism fails to flag. This simple command can disable the VPN and expose the user’s IP address and general location.
To demonstrate the extent of the vulnerability, the researcher created malicious JavaScript code that successfully disconnected the VPN and leaked the user’s IP address by requesting port 8076. They express concern over AtlasVPN’s security decisions, stating that it is challenging to believe that such a significant flaw is merely a bug and not a deliberate backdoor.
While there is no evidence indicating that this vulnerability has been exploited in the wild, AtlasVPN has responded promptly to the disclosure. In a Reddit thread, the head of the IT department at AtlasVPN acknowledged the issue and reassured users that the company is actively working to fix the vulnerability. They also mentioned plans to notify all Linux client users and release a patch as soon as possible.
In a written statement provided to Dark Reading, AtlasVPN acknowledged the vulnerability and expressed their commitment to addressing the issue promptly. Although they did not provide an exact timeline for the release of the patch, the company assured users that they are actively working on resolving the vulnerability.
For now, AtlasVPN users are advised to exercise caution and avoid visiting unfamiliar or potentially malicious websites. It is crucial to stay updated with the latest information from the vendor regarding the availability of a patch or a security update.