An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user’s real IP address simply by visiting a website.
Atlas VPN is a VPN product that offers a cost-effective solution based on WireGuard and supports all major operating systems.
In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.
This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL.
However, this API does not perform any authentication, allowing anyone to issue commands to the CLI, even a website you are visiting.
Atlas VPN API leads to zero-day exploit
A Reddit user named ‘Educational-Map-8145’ published a PoC exploit on Reddit that abuses the Atlas VPN Linux API to reveal a user’s real IP addresses.
http://127.0.0.1:8076/connection/stop API endpoint URL.
When this API endpoint is accessed, it automatically terminates any active Atlas VPN sessions that hide a user’s IP address.
Once the VPN connection is disconnected, the PoC will connect to the
api.ipify.org URL to log the visitor’s actual IP address.
This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.
Amazon cybersecurity engineer Chris Partridge tested and confirmed the exploit, creating the video below to demonstrate that it can be leveraged to reveal an IP address.
Partridge further explained that the PoC bypasses existing CORS (Cross-Origin Resource Sharing) protections on web browsers because the requests are sent to the Atlas VPN API as form submissions.
“Form submissions are exempt from CORS for legacy/compatibility reasons, they’re considered a “simple request” by the CORS spec,” Partridge told BleepingComputer.
Normally, CORS would block requests made by scripts in web pages to different domains than the origin domain. In the case of this exploit, it would be requests made by any website to a visitor’s localhost at “http://127.0.0.1:8076/connection/stop.”
However, Partridge explained to BleepingComputer that using a form submission to “bypass” CORS would not allow a website to see any response from the form submission.
However, in this case, the response is not necessary, as the form submission is simply used to access the URL to disconnect the Atlas VPN connection in Linux.
“Assumption being that forms should already guard against CSRF. Which as we can see today, is not a good assumption and has lead to some unintended consequences,” warned Partridge.
Fix coming in upcoming patch
The Reddit user claims that they contacted Atlas VPN about the problem but was ignored, and since the company didn’t have a bug bounty program in place, public disclosure was the only logical option left.
Atlas VPN eventually responded to the issue four days after the disclosure, apologizing to the reporter and promising to release a fix for its Linux client as soon as possible. Also, Linux users will be notified when the update is available.
In response to our request for a comment, a spokesperson for Atlas VPN has sent the following:
“We’re aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we’re actively working on fixing it as soon as possible. Once resolved, our users will receive a prompt to update their Linux app to the latest version.
The vulnerability affects Atlas VPN Linux client version 1.0.3. As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. This could lead to the user’s IP address disclosure.
We greatly appreciate the cybersecurity researchers’ vital role in identifying and addressing security flaws in systems, which helps safeguard against potential cyberattacks, and we thank them for bringing this vulnerability to our attention. We will implement more security checks in the development process to avoid such vulnerabilities in the future. Should anyone come across any other potential threats related to our service, please contact us via security@Atlas VPN.com.” – Atlas VPN.
Given the critical nature of this zero-day vulnerability, which remains exploitable until a patch is released, Linux client users are strongly advised to take immediate precautions, including considering an alternative VPN solution..