Researchers have uncovered a zero-day vulnerability in Atlas VPN’s Linux client, capable of revealing a user’s true IP address when simply visiting a website.
Atlas VPN, an affordable VPN solution utilizing the WireGuard protocol, offers compatibility with all major operating systems.
A researcher shared a proof-of-concept exploit on Reddit, demonstrating that Atlas VPN’s latest Linux client version, 1.0.3, includes an API endpoint that listens on localhost (127.0.0.1) through port 8076.
The Atlas VPN Zero-Day Vulnerability
Reddit user ‘Educational-Map-8145’ recently shared a Proof of Concept PoC exploit on reddit targeting the Atlas VPN Linux API to expose users’ actual IP addresses.
The PoC creates a hidden form submitted by JavaScript, connecting to the http://127.0.0.1:8076/connection/stop API endpoint. This action swiftly terminates active Atlas VPN sessions that conceal a user’s IP address.
Following VPN disconnection, the PoC logs the visitor’s real IP address using the api.ipify.org URL. This privacy breach reveals the user’s approximate location and true IP address, negating the VPN’s core purpose.
Amazon cybersecurity engineer Chris Partridge validated the exploit and created a demonstration video. The PoC bypasses CORS protections by utilizing form submissions, exposing a vulnerability in web security.
“Assuming that forms should already guard against CSRF, which, as we can see today, is not a valid assumption and has led to unintended consequences,” Partridge cautioned.
A Fix in Progress
The Reddit user tried contacting Atlas VPN about the issue but received no response, leading them to opt for public disclosure due to the company’s lack of a bug bounty program.
Four days later, Atlas VPN responded, apologizing and pledging to swiftly resolve the Linux client issue, with plans to notify Linux users of the update.
An Atlas VPN spokesperson stated:
“We acknowledge the security vulnerability in our Linux client and are actively working on a swift solution. Once resolved, users will receive update instructions.
The vulnerability affects Atlas VPN Linux client version 1.0.3, potentially exposing the user’s IP address.
We highly value the role of cybersecurity researchers in enhancing security. We appreciate their efforts in bringing this issue to our attention. In the future, we will implement additional security measures. If you encounter potential threats related to our service, please contact us at security@AtlasVPN.com.”
Due to the ongoing zero-day vulnerability, Linux client users are strongly urged to take immediate precautions, including considering alternative VPN options.
Related stories:
