Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Security

Privacy Vulnerability Exposes VPN Users' Real IP Addresses (thestack.com) 94

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.
This discussion has been archived. No new comments can be posted.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses

Comments Filter:
  • by houstonbofh ( 602064 ) on Friday November 27, 2015 @07:59PM (#51015639)
    Essentially, you are having the user connect to the internal address of the VPN server for your forwarded port, and therefore you do not go through the VPN or NAT. A good VPN service will have bound your port to the external address only, and this would not work. And the bad ones will fix this quickly, I bet.
  • Bigger problems (Score:5, Insightful)

    by ilsaloving ( 1534307 ) on Friday November 27, 2015 @08:02PM (#51015649)

    The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.

    So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

    • by Anonymous Coward

      If someone obtains a VPN connection and routes all of their traffic over that connection, it's reasonable for them to assume that their real IP address won't "leak." Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint. Even if the user opens malware or clicks a specially crafted link, there should still be an expectation that any resulting traffic won't reveal the user's true IP. Some of the commercial VPN services are obviously doing it properly, as the exploit do

      • by Anonymous Coward

        So:

        "A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN"

        Is a misleading scare tactic opening, and "Privacy Vulnerability Exposes VPN Users' Real IP Addresses" is a scare tactic title, when it should really be "poorly implemented VPNs can leak users real IP"

        • by AHuxley ( 892839 )
          For that a list of who kept the IP would be needed so the product offered can be better understood.
          Is it having all servers in one nation under one brands internal control?
          Servers in a lot of nations but under total control of the brand?
          Some internal network with a way in and a totally different server network out?
          An external wired router passing the totality of all OS, app network traffic to a VPN should not be leaking any ISP ip.
      • "Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."

        Uhhh... nope, why should that be the case?

        The purpose of a Virtual Private Network is to, well, Virtually making a Private Network, as if it was Local (LAN is another interesting acronim here) over other non-local networks.

        And then, the article states " The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the u

        • The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country.

          Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website (and obviously, the replies are routed back the same way)

          • "The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country."

            Oh, I see now! People got fooled into buying a VPN service when they wanted and anonymizer service.

            "Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website"

            An

            • by dave420 ( 699308 )

              VPNs and anonymous proxies are both used for avoiding geo-blocking. Saying someone should only use the latter is somewhat silly, considering anonymous proxies are even more leaky than a well-configured VPN.

        • >> "Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."

          > Uhhh... nope, why should that be the case?

          To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions from blocking people outside the UK from watching BBC programs, or to evade the "Great Firewall" of China, or to avoid tracking a command control center for a botnet, or to avoid detection of the "amazing offer" as coming from Nigeria, or simply to

          • "To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions"

            No. That's -maybe, what a consumer would want, not what a VPN offers.

            VPN offers seamless connectivity between two non-topologically contiguous data networks, not anonymity.

            • by dave420 ( 699308 )

              They don't want anonymity! They want to bypass geo-blocking. That is a perfect use for a VPN.

              • "They want to bypass geo-blocking. That is a perfect use for a VPN."

                No, it isn't, or else, this full Slashdot article wouldn't exist.

        • by AK Marc ( 707885 )
          VPN means "encrypted proxy". Nothing more, nothing less, at least in this context.
          • "VPN means "encrypted proxy". Nothing more, nothing less, at least in this context."

            Yeah, well... and RAID means backup. But then, surprise, surprise!

      • If that's your goal, you should be using a SOCKS proxy. VPNs are designed for an entirely different purpose.

        So while there is some truth to your statement, some people do that, their actions make about as much sense as:

        Inserting a screw is often the entire purpose of a hammer, at least from a clueless standpoint.

        You CAN hammer a screw in, and many people have done it. I have, once. Sometimes it works. But it would be stupid to say that a hammer is broken because it's not very good for inserting screws.

        • by sims 2 ( 994794 )

          As far as I can tell from the first page of google "incoming connections socks proxy" socks doesn't really allow for incoming connections. However I see many vpn providers support port forwarding.

          I've been wanting to setup a ftp server at home for a while but I don't want to pay the extra cash for a static ip.

          How would you go about it?

          Vpn?
          Web hosted ftp?
          Or something else?

          • by sims 2 ( 994794 )

            The reason I mention static ip is that's the only thing my isp offers that will bypass their Nat. While a permanent static ipv4 address would be handy it would also cost about the same as 10 years of vpn service.

            I would hope that I will be able to get real broadband within 10 years. But att has been saying they would for the last 15 years or so.

          • > How would you go about it?
            > Vpn?
            > Web hosted ftp?
            > Or something else?

            What's the purpose, the goal? A $5 vps might be a solution, Google Drive might be. For being just like running an ftp server at home, dyndns solves the dynamic IP problem , sftp simplifies port forwarding and makes it more secure, but doesn't 100% solve the NAT issue. Some sort of vpn, possibly via an ssh port forward, to an external service may be needed if you must accept remote connctions conveniently. I suppose the act

            • by sims 2 ( 994794 )

              The root of the problem is I have one of those iPads with only 16GB of memory. So I can only fit a small amount of my library (after apps and whatever else only about 2GB left for media) if i had gotten one of those 128GB iPads or a expandable android tablet I wouldn't have have much of an issue.

              So my goal is to be able to in the fewest steps possible be able to transfer files to the oplayer app on the ipad as needed the app only supports http,samba,ftp,Dropbox and wd wifi storage.

              The http support is flakey

              • That's an interesting situation. I can certainly see a VPN with a port forward as being a reasonable solution, especially if you need a lot of storage. I'm assuming your ISP doesn't -also- offer IPv6 as well as the NAT IPv4.

                SSH port forwarding is a fast, easy way to set up a VPN with port forwarding in one command. Even if you don't use it for this purpose, it's a good tool to have in your toolbox. It requires that you have a shell account internet-facing box, which might be a $5/month web hosting account.

    • Comment removed based on user account deletion
    • The point is that a VPN is used to hide your IP address, but with this vulnerability, a single web page can subvert that. All the attacker needs to trick you into doing is opening a single TCP connection. This can be done with a single img or iframe tag on a page. It's not running a malicious payload, it's browsing the internet
    • If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.

      It's not as hard as you'd think. All you have to do is convince a user to make a connection to the VPN provider's IP at a specific port.

      In a common VPN use case where the VPN user doesn't want his IP known to the world, torrenting, it's pretty easy to convince a torrent client to connect to a specific IP/port: just join the swarm on that specific IP/port and wait for your target's torrent client to connect to you! It doesn't matter how savvy the computer operator is when the torrent client is a dumb piece o

  • TFA says that it is possible to trigger a request to the VPN gateway itself, by embedding a link to its address (example: <img src=”http://1.2.3.4:12345/x.jpg”>, and that request will show the real IP.

    But in order to get the real IP? the attacker must be able to eavesdrop the traffic between the victim and the VPN gateway, right?

    • No. The attacker forwards a port on the VPN gateway. This means that the attacker recieves any traffic on that port already, including the victim's IP. All the attacker needs is the same level of VPN access that the victim is paying for.
  • Is that a secret? (Score:5, Insightful)

    by Marc_Hawke ( 130338 ) on Friday November 27, 2015 @09:48PM (#51015941)

    I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)

    No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.

    • by AHuxley ( 892839 )
      The "anonymizing" part is that the VPN becomes your IP for that session.
      The ip found on the net should always stop back at the VPN provider. Thats the idea of the router for a system like openvpn. Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out. The idea that anyone looking back from the VPN IP can see the users ISP is not the best news.
      • "The "anonymizing" part is that the VPN becomes your IP for that session. "

        That's a side effect at most.

        "Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out"

        Sorry, but seemingly you don't understand what you are talking about. Once stablished, your Virtual Private Network is a Network just like any other else: you can route it, bridge it, masquerade it... In fact, that's the very goal of a VPN: making two topologically disconnected networks look like connected through

        • by AHuxley ( 892839 )
          Re 'Well, it isn't even news: that's the exact feature that allows, for instance, to connect two distant offices' networks as if they were one hop away."
          This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking.
          • " This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking."

            So what? The expectation is exactly the same: what happens on a node working as ending point for a VPN with regards other networks that node has access to is up to the node, not the VPN.

            So if a VPN ends in my computer I'll give for granted all other networks on my computer are visible to the other end unless I'm taking positive steps for that not being the case.

            • by AHuxley ( 892839 )
              The idea is the rest of the world will only ever see the VNP ip, not the users ISP ip. The leak exposed the users original ISP ip from the VPN ip.
    • by AK Marc ( 707885 )
      It's not a VPN. They just use VPN protocols to connect two machines, one is the user, and the other is a proxy. VPN is used incorrectly for 90% of "VPN services" out there.
  • by AHuxley ( 892839 ) on Friday November 27, 2015 @09:53PM (#51015955) Journal
    Ideas like this show why VPN use was not a huge issue "Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
    http://www.theguardian.com/wor... [theguardian.com]
    ".. decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to
    provide secure remote access .."
    or under the new UK net laws "Snooper's Charter: Why aren't VPNs and Tor mentioned in the Investigatory Powers Bill?" (November 5, 2015)
    http://www.ibtimes.co.uk/snoop... [ibtimes.co.uk]
    ".. but surprisingly, nowhere in the proposal does it mention the use of Virtual Private Networks (VPN)."

    What can be done? Some creative way for an internal double VPN?
    This could also show that VPN use is vulnerable at a city, state, private sector or federal level/budget rather than just a shorter list of advanced nations with a domestic collect it all capability.
  • Exposing internal IP addressses to other entities inside the VPN would be the 'N' part of VPN. The Private, or 'P' part is really meant for everone else. Why are these people short a whiteboard on this?
  • First of all this assumes the VPN incoming and outgoing IP is the same. This would be expected if you're using your home router as your VPN as you have only one IP but I don't think it should be for larger commercial providers, especially if you're using them to "hide you".

    Then it assumes the attacker can open ports on that IP (as a feature offered by the provider). If you connect to that IP:port you'll be doing it over your normal non-encrypted interface because of the way the routing table is configured o

  • The point of a VPN is not to keep your local IP address secret. The point is to establish a secure connection between your computer, and a remote private network. I would argue that if a VPN kept your local IP address a secret, this would itself be a security vulnerability, from the perspective of the owner of the private network!

  • Reading through this, it seems like it's much more likely to be useful for targeted attacks against people who are known to be actively moving all their traffic over VPNs.

    Basically if the attacker is able to host a service (via port forwarding) on the IP of the same VPN endpoint that the target is going out through, then when the target visits that service (via phishing email, malicious website linked images, etc.) the VPN service will allow the attacker to see the origin of the request.

Single tasking: Just Say No.

Working...