Researchers have identified a bug in the way that some third-party VPN services use the PPTP protocol over IPv6, a problem that enables eavesdroppers to unmask the specific IP addresses of the VPN service’s users.
The vulnerability, which was disclosed at a conference in Sweden last week, only seems to affect VPN implementations that are using IPv6, the newest version of the core Internet Protocol. Organizations, governments and enterprises have been slowly rolling out IPv6 implementations over the last couple of years and gradually transitioning various services to the new release, which is meant to have some added security advantages over IPv4, the current standard.
The problem could be a particular concern for users of Web-based VPN services that are popular with users of torrent services, Wired’s UK edition says.
The flaw means that the IP address of a user hiding behind a VPN can
still be found, thanks to their connection broadcasting information that
can be used to identify them. It’s also relatively easy to find a MAC
address (which identifies a particular device) and a computer’s name on
the network that it’s on.
It’s possible to re-hide yourself by switching IPv6 off and going
back to IPv4, but that does mean losing the benefits that it offers.
It’s most dangerous because many users aren’t aware of the issue, so
it’s likely that administrators of VPN networks may end up having to
warn their users, and offer instructions on how
to turn off IPv6.
Security weaknesses involving VPNs certainly are nothing new. Researchers have warned of other flaws in VPNs in the past and security experts have warned that VPNs are a decent solution for specific remote access needs but are by no means a security panacea.