Critical zero-day vulnerability exposes Atlas VPN Linux client users

An alarming security flaw has been uncovered in the Linux client of Atlas VPN, a popular VPN service. A zero-day vulnerability has been identified, which allows an attacker to easily expose a user's real IP address just by visiting a website. The flaw lies in an API endpoint that lacks authentication, enabling anyone to issue commands to the command-line interface (CLI) of the VPN client. This poses a severe privacy breach for Atlas VPN users, undermining the very purpose of using a VPN.

Proof-of-Concept exploit reveals critical issue

A proof-of-concept (PoC) exploit shared on Reddit highlights the severity of the vulnerability affecting Atlas VPN's Linux client version 1.0.3. The exploit revolves around an API endpoint that listens on localhost via a specific port. This endpoint lacks authentication, allowing potentially any website to issue commands to the VPN client's CLI. By creating a concealed form that automatically submits JavaScript code, the exploit can terminate active VPN sessions and reveal a user's actual IP address. This vulnerability significantly compromises user privacy and exposes them to tracking.

Confirmation from Amazon cybersecurity engineer

The effectiveness of the exploit has been confirmed by cybersecurity engineer Chris Partridge from Amazon. His investigation revealed that the exploit bypasses existing browser protections, as the requests are initiated as form submissions. This allows websites to access the Atlas VPN API endpoint without triggering standard security safeguards. The exploit grants access to the URL responsible for disconnecting the VPN connection in Linux, rendering one of the primary purposes of a VPN—protecting user identity and location—effectively nullified.

Atlas VPN's response and user recommendations

Atlas VPN was alerted to the vulnerability four days after its disclosure. Despite initial delays in response, the company has since taken the matter seriously, issuing an apology and committing to releasing a fix for its Linux client promptly. Users will be notified once the update is available. In the meantime, Linux client users are strongly advised to take immediate precautions, including considering alternative VPN solutions. In an increasingly interconnected digital landscape, prioritizing privacy and security remains crucial.