Atlas VPN unpatched vulnerability exposes users' real IP address

An Atlas VPN zero-day vulnerability affecting its Linux client has been discovered, posing a significant privacy risk as it leaks a user's real IP address when they visit a website. Atlas VPN is known for its cost-effective VPN solution based on WireGuard and compatibility with major operating systems.

In a proof of concept exploit shared on Reddit, a researcher highlighted the issue in the latest version, 1.0.3, of the Atlas VPN Linux client. This version includes an API endpoint that listens on localhost (127.0.0.1) over port 8076, offering a command-line interface (CLI) accessible via URLs like http://127.0.0.1:8076/connection/stop. The problem is that this API lacks authentication, enabling anyone, including a website you're visiting, to issue commands to the CLI.

The PoC exploit functions by creating a hidden form automatically submitted by JavaScript. This form connects to the http://127.0.0.1:8076/connection/stop API endpoint URL, which terminates active Atlas VPN sessions, thereby exposing the user's real IP address. Once disconnected, the PoC logs the visitor's actual IP address via the api.ipify.org URL.

This security flaw is a significant privacy breach for VPN users, revealing their approximate physical location and actual IP address, effectively nullifying one of the primary reasons for using a VPN service.

Atlas VPN eventually acknowledged the vulnerability four days after the disclosure, apologized, and pledged to release a fix for its Linux client. Linux users will receive notifications when the update becomes available.

In response to inquiries, Atlas VPN emphasized its commitment to security and user privacy, vowing to implement more security checks in the development process to prevent such vulnerabilities in the future. Given the critical nature of this zero-day vulnerability, Linux client users are strongly advised to take immediate precautions and consider alternative VPN solutions until the patch is released.