A zero-day vulnerability in the Linux client of Atlas VPN, version 1.0.3, has been discovered, posing a significant privacy risk to users. The vulnerability allows an attacker to expose a user’s actual IP address by simply visiting a website.
An exploit shared on Reddit demonstrated how an unauthenticated API endpoint in the VPN software can be abused to disconnect the VPN session and reveal the user’s IP address, undermining the core purpose of VPN usage.
The vulnerability affects Atlas VPN, a cost-effective VPN solution based on WireGuard that supports major operating systems. It was revealed that the API endpoint in the Linux client listens on localhost without authentication, permitting anyone, including websites, to issue commands to the VPN client’s command-line interface (CLI). This vulnerability was deemed a severe privacy breach as it exposes a user’s approximate physical location and true IP address, making tracking possible.
Amazon cybersecurity engineer Chris Partridge confirmed the exploit, highlighting that it bypasses Cross-Origin Resource Sharing (CORS) protections in web browsers. While CORS typically blocks requests between different domains, this exploit leverages form submissions to access the URL that disconnects the Atlas VPN connection in Linux.
Atlas VPN responded to the issue four days after its disclosure and pledged to release a patch promptly, with Linux users being notified when the update is available. Until the patch is released, users are strongly advised to take precautions and consider alternative VPN solutions to protect their online privacy.