Security experts have discovered a major zero-day flaw in Atlas VPN’s Linux client that basically renders the entire service useless.
A researcher going by the alias “Educational-Map-8145” posted a new thread on Reddit, in which they explain a bug in the Atlas VPN client for Linux which allows those that abuse it to view the user’s real IP address.
The whole purpose of a Virtual Private Network (VPN) is to mask people’s real IP addresses, and thus hide their identities while online.
Ignored by the company
As explained in the post, there is a VPN client API that doesn’t perform any authentication, meaning that any website with a malicious JavaScript attached to it can disconnect the session and expose the visitor’s real IP address.
Upon discovering the flaw, Educational-Map-8145 claims to have reached out to Atlas VPN, but was ignored. As the company didn’t have any active bug bounty programs, the researcher decided to go public. Since then, the company responded, saying it takes cybersecurity “very seriously” and that it’s currently working on developing a fix.
“We’re aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we’re actively working on fixing it as soon as possible. Once resolved, our users will receive a prompt to update their Linux app to the latest version,” the company said.
The vulnerability affects Atlas VPN Linux client version 1.0.3, the company confirmed, adding that it’s working on implementing more security checks in the development process.
Until Atlas VPN comes back with a fix, users are vulnerable, and should thus exercise caution when using the VPN.
Via: BleepingComputer
