"Most VPNs Can Be Tricked Into Leaking Traffic"

According to university researchers, nearly 70 Virtual Private Network (VPN) clients and servers are vulnerable to an attack that can cause them to leak user traffic. The multi-campus collaboration named their attack TunnelCrack and has released proof-of-concept (POC) exploit code. TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. According to the researchers, tests indicate that every VPN product is vulnerable on at least one device. The underlying cause of the vulnerabilities has been present in VPNs since their emergence in 1996. The researchers found that VPN clients enable traffic to be sent in the clear in two cases. In the first case, the traffic is being sent to their local network, meaning enabling the VPN does not disable access to the LAN. In the second case, the destination is the VPN server, a rule that eliminates routing loops. In these two cases, they discovered that routing exceptions could be manipulated to send arbitrary traffic outside of the VPN tunnel. This article continues to discuss TunnelCrack, a combination of two security vulnerabilities in VPNs. 

iTnews reports "Most VPNs Can Be Tricked Into Leaking Traffic"