Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users' real IP addresses.
VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it "port fail", and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP (point-to-point tunnelling protocol) specifications, or using the OpenVPN client software.
Providers that offer port forwarding services are affected unless they've taken specific defensive measures, the company says.
Attackers need to have an account with the same vulnerable provider as their intended victim, and need to trick the target to visit a website under the hackers' control.
"If the attacker has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control," the researchers say.
One redditor has offered a more detailed breakdown of the problem.
Major virtual private network providers have been warned about the flaw. Private Internet Access says it has fixed the flaw and paid its rival US$5,000 for the research effort.
BitTorrent users are under particular threat, Perfect Privacy says, because if they use port forwarding as their default torrent client port, they don't need to be tricked into visiting an attacker's web site.
Researchers suggest VPN providers set server-side firewall rules to block access from client's real IP address to forwarded ports the client does not use. ®