Researchers from a virtual private network (VPN) provider, Perfect Privacy discovered a gaping hole which can expose the real IP-address of VPN users easily.
The flaw, dubbed "Port Fail," affects VPN providers including those of BitTorrent users which offer port forwarding and have no protection against IP leaks.
The issue, which affects all VPN protocols and operating systems, was uncovered after altering several affected competitors to the threat before making it public.
For the past several years, there has been a wider interest in usage of VPN to bypass censorship in countries with stringent internet access and to prefer anonymity with browsing, especially post-Snowden revelation.
VPNs are used across the world by the privacy conscious people and to circumvent geolocation-based content restrictions by disguising the true location of a person.
The aim of using a VPN is to hide an ISP IP-address, but the discovery showed that this can be easily bypassed on some providers by using a port forwarding trick. If the attacker uses the same VPN as the user, the IP-address can be exposed.
Perfect privacy tested the vulnerability with nine VPN providers which offer port forwarding. Among them, five were vulnerable, including Private Internet Access (PIA), Ovpn.to and VPN, which were notified before public disclosure and have fixed the issue.
PIA awarded Perfect Privacy $5,000 for the disclosure.