From Torrent Freak:
For the past several years interest in encrypted and anonymous communications has spread to a much wider audience.
VPN providers are particularly popular among BitTorrent users, who by default broadcast their IP-addresses to hundreds of people when downloading a popular file.
The goal of using a VPN is to hide one’s ISP IP-address, but a newly discovered vulnerability shows that this is easily bypassed on some providers.
The problem, uncovered by VPN provider Perfect Privacy (PP), is a simple port forwarding trick. If an attacker uses the same VPN as the victim the true IP-address can be exposed by forwarding traffic on a specific port.
The security flaw affects all VPN protocols including OpenVPN and IPSec and applies to all operating systems.
“Affected are VPN providers that offer port forwarding and have no protection against this specific attack,” PP notes.
For example, if an attacker activates port forwarding for the default BitTorrent port then a VPN user on the same network will expose his or her real IP-address.
The same is true for regular web traffic, but in that case the attacker has to direct the victim to a page that connects to the forwarded port, as Perfect Privacy explains in detail.
The vulnerability affected the setup of various large VPN providers, who were warned last week. This included Private Internet Access (PIA), Ovpn.to and nVPN, who have all fixed the issue before publication.
PIA informs TorrentFreak that their fix was relatively simple and was implemented swiftly after they were…