A Reddit user known as “Educational-Map-8145” has exposed a critical zero-day flaw affecting the Linux client of Atlas VPN service
The vulnerability, which impacts the latest version of the client (1.0.3), allows malicious websites to disconnect the VPN and reveal the user’s IP address, raising concerns about user privacy and security.
The flaw stems from an API endpoint within the Atlas VPN Linux Client that listens on localhost (127.0.0.1) through port 8076.
This API provides a command-line interface for various functions, including disconnecting a VPN session via a specific URL. This API lacks any form of authentication, making it susceptible to abuse by any program running on the user’s computer, including web browsers.
The exploit code, shared by the researcher, demonstrates the issue, enabling any website to trigger the VPN disconnection and subsequently leak the user’s home IP address.
As security experts warn of the risk, Atlas VPN users are advised to exercise caution when browsing the web until a patch or solution is provided to address this critical vulnerability.
This vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing [CORS] protection would prevent it, but CORS is designed to prevent data theft and loading of outside resources. Here in this attack, it uses a simple command instead, which slips through the CORS gauntlet – and, in this case, turns off the VPN, immediately exposing the user’s IP and therefore general location.
Despite the potential security risk, attempts to contact Atlas VPN’s support for responsible disclosure or information on a bug bounty program by Educational-Map-8145 have reportedly gone unanswered.