Atlas VPN zero-day allows sites to discover users’ IP address

Atlas VPN has confirmed the existence of a zero-day vulnerability that may allow website owners to discover Linux users’ real IP address.

Details about this zero-day vulnerability as well as exploit code have been publicly released on Reddit several days ago by the person who discovered the flaw and purportedly first tried to privately share the discovery with Atlas VPN.

About the Atlas VPN zero-day vulnerability

Atlas VPN offers a “freemium” and paid “premium” VPN solution that changes users’ IP address and encrypts the connections they make to websites and online services. The company provides an app for Windows, macOS, Linux, Android, iOS, Android TV, and Amazon Fire TV.

The discovered vulnerability affects only the AtlasVPN client for Lunux, v1.0.3 (i.e., the most current version).

“The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser,” the poster explained the root cause of the flaw.

In short, with a malicious script, any website can craft a request to port 8076 to disconnect the VPN, and then run another request that leaks the user’s IP address.

The requirement for a successful “attack” is that the visitor uses Linux and actively uses v1.0.3 of the AtlasVPN Linux client when accessing the site. Admittedly, that considerably limits the pool of potential victims.

Chris Partridge, a security engineer and one of the moderators of the Cybersecurity subreddit, tested the exploit script and demonstrated the attack.

A fix is in the works

Rūta Čižinauskaitė, Atlas VPN’s head of communications, told Help Net Security that they are aware of the vulnerability.

“The vulnerability affects Atlas VPN Linux client version 1.0.3. As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. This could lead to the user’s IP address disclosure,” she said.

The company is working on fixing the easily exploitable flaw as soon as possible and, once the problem is resolved, users will be prompted to update their Linux app to the latest version.

The head of the IT Department at Atlas VPN commented on the Reddit post and apologized for their slow reaction after the researcher contacted Atlas VPN support. “It’s unacceptable, and we will address this process accordingly so we can react much faster in the future,” they said.

Čižinauskaitė told Help Net Security that they will implement more security checks in the development process to avoid such vulnerabilities in the future, and directed researchers and anyone else who might come across other potential threats related to the service, to contact them via security@atlasvpn.com.

UPDATE (September 18, 2023, 15:50 a.m. ET):

“As of September 18th, 2023, the vulnerability is no longer present on the Linux app since its latest version. Following this resolution, we informed our users to update their applications to the fixed 1.1 version. Moreover, the Linux application is now available for download again on our website,” Čižinauskaitė told us.

“We are actively refining our internal communication processes and establishing a more structured vulnerability reporting mechanism. We are committed to ensuring that such oversights do not recur.”