Menu
VPN bug poses privacy threat to BitTorrent downloaders

VPN bug poses privacy threat to BitTorrent downloaders

The bug could be used to unmask a computer's real IP address

A bug affecting some VPN services can be used to figure out a computer's real IP addresses, including those of BitTorrent users, which could pose a huge privacy and possibly a legal risk.

The vulnerability affects those services that allow port forwarding, according to VPN provider Perfect Privacy, which wrote about the issue on Thursday.

A successful attack requires a couple of conditions to be met: the attacker must be on the same VPN network as the victim, who also has to be lured into connecting to a resource controlled by the attacker.

By tricking a victim into opening an image file, for example, an attacker who has port forwarding enabled on their account can see the request from the victim's real IP addresses.

"The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work," Perfect Privacy wrote.

For the IP address leak attack to work, the attacker must know the victim's VPN exit IP address, which Perfect Privacy suggested could be discovered by luring a victim to a website under their control.

Perfect Privacy tested nine VPN providers before it went public with the flaw. Five were vulnerable, and those providers have been notified, it said.

But the company warned "other VPN providers may be vulnerable to this attack as we could not possibly test all."

The vulnerability could be used to unmask people who are using BitTorrent clients to download content, wrote Darren Martyn, a security enthusiast and penetration tester, on his blog.

The BitTorrent protocol is used by client programs such as uTorrent to download content distributed among many users across the Internet. The entertainment industry has waged legal battles aimed at stopping the sharing of copyrighted content on file-sharing services.

To make it harder for their computer's real IP address to be identified, those downloading content often use VPNs. In theory, it makes their computers harder to link back to an ISP, depending on how a VPN provider responds to legal requests.

Martyn outlined how the entertainment industry could use the flaw to identify computers downloading protected content in a section described on his blog as "How to be evil."

"I believe this kind of attack is probably going to be used heavily by copyright-litigation firms trying to prosecute torrent users in the future, so it's probably best to double check that the VPN provider you are using does not suffer this vulnerability," he wrote.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments