So far, the popular VPN, which offers a paid-for premium version as well as what it describes as a “freemium” package, has acknowledged the vulnerability but been unable to confirm when it will be able to patch the problem.
All the evidence so far suggests that this particular vulnerability only affects users of the Atlas VPN Linux app, so if you are using Atlas VPN on other devices, you don’t appear to have anything to worry about from this particular problem.
What is the Atlas VPN Linux Zero Day Vulnerability?
The zero-day vulnerability that has been identified only affects the Atlas VPN client for Linux, v1.0.3. This is the most recent version, so if you haven’t already updated, the best advice is not to for now, until Atlas VPN has patched the problem.
The details of what the problem is and how it works are quite complicated. Essentially, the AtlasVPN Linux Client is made up of two parts. One part manages the connections and a one that enables the user controls to connect, disconnect and list services.
The app connects by opening up an API on localhost on port 8076. It does not have any authentication, which is not ideal because this port can be accessed by any program running on the computer, including the browser.
That means that any website is able to create a malicious script to request the port to disconnect the VPN. This then would allow it to reveal the users real IP Address as well.
The zero-day vulnerability has been tested and demonstrated by Chris Partridge, a security engineer and one of the moderators of the Cybersecurity subreddit among others.
What does Atlas VPN have to say about the vulnerability?
To give Atlas VPN some credit, they have fessed up to this vulnerability quickly.
The Atlas VPN Head of Communications, Rūta Čižinauskaitė, has spoken to Help Net Security about the issue and stated that the company was aware of the problem.
“The vulnerability affects Atlas VPN Linux client version 1.0.3. As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. This could lead to the user’s IP address disclosure,” she confessed.
But fixing the issue is less impressive as, while Atlas VPN are seeking to fix the problem, they haven’t managed to issue a patch at the time of writing. Until Atlas VPN Linux users are prompted to update their app with a new version, it is clear that they will not have done so either.
Interestingly, the Atlas VPN Head of IT has acknowledged this slow response and even gone on Reddit themselves to apologise.
He said, “It’s unacceptable, and we will address this process accordingly so we can react much faster in the future.”
He’s not wrong and even though most Atlas VPN users will not be affected by this problem, many will be far from impressed with how the company has handled the problem once it arose.
Head of Comms Čižinauskaitė has scrambled to try and limit the damage from this incident. She has said that Atlas VPN will implement more security checks in the development process to avoid such vulnerabilities being left in their clients in the future.
She also asked anyone who uncovered a vulnerability in the future to contact Atlas VPN via firstname.lastname@example.org.
That’s all well and good, but Atlas VPN were approached about this vulnerability before it went public, yet they have still not managed to fix it.
Atlas VPN’s openness and transparency on this matter is to be applauded. But they must do better when it comes to fixing problems of this kind.
To make matters worse, Atlas VPN was acquired by the owners of popular NordVPN, known for their strong security provisions.
These not only deal with vulnerability swiftly and effectively, but also run bounty schemes and conduct independent audits to ensure these problems are nipped in the bud and any risk to users is minimal.