AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses

All it takes is a simple copy-paste to undo a VPN service used by millions worldwide.

[EDITORs NOTE: On Sept. 18, 2023, nearly two weeks after this story posted, AtlasVPN issued a patch for the vulnerability]
A security researcher has published exploit code for AtlasVPN for Linux, which could enable anybody to disconnect a user and reveal their IP address simply by luring them to a website.
AtlasVPN is a freemium virtual private network (VPN) service owned by NordVPN. Despite being just 4 years old,
according to its website
, its used by more than 6 million people worldwide.
On Sept. 1, after receiving no response from the vendor, an unidentified researcher (referred to by their Full Disclosure mailing list username, icudar) posted exploit code for AtlasVPN Linux to
the Full Disclosure mailing list
and
Reddit
. By simply copying and pasting this code to their own site, any odd hacker could disconnect any AtlasVPN user from their private network, and reveal their IP address in the process.
Since the entire purpose of the VPN is to mask this information, this is a pretty significant problem for users, says Shawn Surber, senior director of technical account management at Tanium.
The issue with AtlasVPNs Linux client boils down to a lack of proper authentication.
The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication, icudar wrote in his online posts. This port can be accessed by ANY program running on the computer, including the browser.
Surber guesses that this vulnerability appears to be caused by the assumption that
Cross-Origin Resource Sharing (CORS) protection
would prevent it. CORS is a mechanism by which one domain can request resources from another.
As
other researchers have pointed out
, though, the exploit easily slips past CORS by sending a type of request it does not flag. CORS is designed to prevent data theft and loading of outside resources. In this scenario, the attack uses
a simple command
, which slips through the CORS gauntlet and, in this case, turns off the VPN, immediately exposing the users IP and therefore general location, Surber explains.
To test the extent of the vulnerability, icudar wrote malicious JavaScript that would request port 8076 and successfully disconnect the VPN, then request to leak the users IP address.
It shows that AtlasVPN does not take their [users] safety serious, because their software security decisions suck so massively that [its] hard to believe this is a bug rather than a backdoor, they wrote.
There is no evidence yet of AtlusVPNs vulnerability being exploited in the wild. In a response via Reddit, the head of the IT department at AtlusVPN wrote that the company is fixing the issue, will notify all Linux client users, and release a patch as soon as possible.
In a written statement for Dark Reading, AtlusVPN could not provide an exact timeline for its patch but assured that we are actively working on fixing the vulnerability as soon as possible.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses