This Atlas VPN Zero-Day Vulnerability May Leak Your IP

Update: AtlasVPN has shut down on April 24, 2024. Its existing customers have migrated to NordVPN. We’ll keep this AtlasVPN article as a reference for whoever needs any information.

One Reddit user has shared his findings of an Atlas VPN zero-day vulnerability with the community.

Its Linux client has an API endpoint that allows anyone, including the websites you visit, to end your VPN session.

Atlas VPN zero-day vulnerability explained

A Redditor named Educational-Map-8145 explained further how anyone can exploit this Atlas VPN vulnerability.

Version 1.0.3 of the VPN’s Linux client contains an API endpoint that listens on localhost 127.0.0.1 over port 8076.

It offers a command-line interface (CLI) that you can use to perform various actions. One thing you can do with it is terminate a VPN session through http://127.0.0.1:8076/connection/stop URL.

The main problem is that the API doesn’t perform any authentication, allowing anyone to issue this command. Even the website you’re visiting can do it.

Once someone ends your VPN session, you’ll be connected to the api.ipify.org URL which logs your real IP address.

This is a major issue that can lead to other problems. By displaying your approximate physical location and actual IP address, this vulnerability nullifies the reason for using a VPN in the first place.

Chris Partridge, an Amazon cybersecurity engineer, tested and confirmed the vulnerability. He then showed in a video how one can leverage the exploit to reveal a user’s IP address.

He said that the PoC bypasses the Cross-Origin Resource Sharing (CORS) browser protections as the requests go to AtlasVPN APU as form submissions.

CORS would normally block any requests from domains other than the origin domain, but this isn’t the case here.

While bypassing CORS still doesn’t allow a website to see the response from the form submission, this isn’t necessary. This is because the form submission is only used for accessing the URL which disconnects the user from Atlas VPN.

A fix coming in the next patch

Educational-Map-8145 first reached out to Atlas VPN about the issue but didn’t receive any response.

Once they realized they wouldn’t hear from the provider, they disclosed the vulnerability publicly.

On Reddit, Partridge criticized the VPN’s customer support team as he hadn’t heard from the agents for 72 hours after reporting the problem.

He was only told that the problem had been forwarded to the engineering team.

Eventually, Atlas VPN responded to the Reddit thread by apologizing and saying it’ll fix the problem in an upcoming patch for the Linux client.

The provider will also notify the users when the next update becomes available.

Until the fix is ready, switching to another Linux VPN is a good idea, as you probably don’t want someone exposing real IP.