Atlas VPN security flaw leaked users' real IP address

VPN and other internet icons overlaid on a photo of a hand operating a tablet
(Image credit: Shutterstock)

Security experts have discovered a major zero-day flaw in Atlas VPN’s Linux client that basically renders the entire service useless. 

A researcher going by the alias “Educational-Map-8145” posted a new thread on Reddit, in which they explain a bug in the Atlas VPN client for Linux which allows those that abuse it to view the user’s real IP address. 

The whole purpose of a Virtual Private Network (VPN) is to mask people’s real IP addresses, and thus hide their identities while online.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

 Preferred partner (What does this mean?

Ignored by the company

As explained in the post, there is a VPN client API that doesn’t perform any authentication, meaning that any website with a malicious JavaScript attached to it can disconnect the session and expose the visitor’s real IP address.

Upon discovering the flaw, Educational-Map-8145 claims to have reached out to Atlas VPN, but was ignored. As the company didn’t have any active bug bounty programs, the researcher decided to go public. Since then, the company responded, saying it takes cybersecurity “very seriously” and that it’s currently working on developing a fix. 

"We're aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we're actively working on fixing it as soon as possible. Once resolved, our users will receive a prompt to update their Linux app to the latest version,” the company said.

The vulnerability affects Atlas VPN Linux client version 1.0.3, the company confirmed, adding that it’s working on implementing more security checks in the development process.

Until Atlas VPN comes back with a fix, users are vulnerable, and should thus exercise caution when using the VPN.

Via: BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.