UPDATE: Atlas VPN has released an update for its Linux app to fix this vulnerability.
“As of September 18th, 2023, the vulnerability is no longer present on the Linux app since its latest version,” Atlas VPN said in an email to VPNOverview. “We are actively refining our internal communication process and establishing a more structured vulnerability reporting mechanism.”
A zero-day vulnerability affecting the Linux client of Atlas VPN allows threat actors to disconnect the VPN and expose users’ IP addresses.
Reddit user “Educational-Map-8145” disclosed the bug on Sept. 1 after reportedly reaching out to Atlas VPN and not getting a response.
Cybersecurity engineer Chris Partridge also confirmed the vulnerability on Mastodon on September 2nd after testing it.
In an email to VPNOverview, Atlas VPN confirmed they’re aware of the vulnerability and are working to fix it “as soon as possible.”
“Upon discovering the vulnerability, we proactively notified our users. Also, to prevent any further potential exposure, we temporarily removed the Linux application from all download platforms until the vulnerability is fully addressed. Once resolved, our users will receive a prompt to update their Linux app to the latest version,” Atlas VPN said.
Atlas VPN launched its Linux client last year. Currently, the app is only supported on Ubuntu. “However, we plan to add support for other distributions, as well as more features, such as Kill Switch, in the near future,” Atlas VPN said in a blog post announcing the launch of its Linux app.
How Users’ IP Addresses Can be Leaked
The Atlas VPN Linux client opens an API on localhost port 8076 without any authentication, according to the proof of concept.
“This port can be accessed by ANY program running on the computer, including the browser,” Educational-Map-8145 wrote on Reddit. “A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.”
This means a hacker-controlled website can use the Javascript code to access a user’s IP address, uncover their location, and track their online activities.
Most people use VPNs to enhance their anonymity online, but this exploit could expose the identities of Atlas VPN Linux users and put them at risk.
“I am not yet aware of it [the vulnerability] being used in the wild,” Educational-Map-8145 noted, adding that “hard to believe this is a bug rather than a backdoor.”
Protecting Your Privacy Online
While Atlas VPN has acknowledged that it’s working on a fix for the issue, there’s no indication of when the update will be released.
It’s not uncommon for VPNs to have security flaws, but the best VPN providers are always quick to plug any vulnerabilities and safeguard the privacy of their users.
In a paper published early last month, cybersecurity researchers uncovered two security vulnerabilities affecting all VPNs, dubbed TunnelCrack. In response to this, top VPNs, like NordVPN, took steps to mitigate the threat and protect their users.
We recommend being very selective with the VPN provider you choose. Always pick a VPN with a track record of protecting users’ privacy and prioritizing safety.
For more cybersecurity news, follow us on X (Twitter), Threads, and Mastodon!
