IP Leak Vulnerability in Port Forwarding Feature

edited November 2015 in Software and System Updates Posts: 167
Dear Customers,

Last week, we, along with several other VPN providers, were notified of an IP address leak vulnerability when the port forwarding feature (disabled by default) is used. We deployed a fix quickly after the initial report, however, earlier today, we discovered some edge cases where our fix is incomplete.

We are in the process of deploying an improved fix on all of our VPN gateways as well as releasing new clients. We will update this thread when the fix has been deployed and new client installers are available.

We apologize for the inconvenience. Please be assured that we take privacy very seriously and will be notifying all of our customers of what happened and any steps they need to take.

Note: We have now published new client installers, please visit https://www.privateinternetaccess.com/forum/discussion/19317/new-mac-windows-clients-v-52-released for more information, or download updated installers from our website.

Sincerely,
PIA
Post edited by Support on
«134

Comments

  • edited January 2016 Posts: 48
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited January 2016 Posts: 48
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited November 2015 Posts: 515
    Support said:
    Dear Customers,...............

    Sincerely,
    PIA
    Thanks PIA for this information update. Thanks also for acknowledging that there is still a problem with port forwarding leakage and that you'll be fixing it. Hopefully soon?

    PIA please do something about this robert_lazaar, along with his fellow harassers in crime, sock puppet personalities MahmoudAbdul, TiffanyNichols, Marco_Wollank, DerekZimmer and perhaps others. If you check their comments you'll find that many of them are utterly insane. By your complete lack of regard for how they habitually harass other PIA member like me they're serving to destroy PIA's credibility. Anytime someone posts legitimate concerns or complaints one or more of them shouts it down. They're even posting in the comment section of torrentfreak. They're making PIA look absolutely terrible. For your own sakes you really need to do something about them.
    Post edited by tomeworm on
  • Posts: 167
    Please visit https://www.privateinternetaccess.com/forum/discussion/19317/new-mac-windows-clients-v-52-released to obtain new client installers (v.52) that address the client-side fix for this vulnerability.
  • Thanks PIA. p0800122, can you confirm the fix in the new installer actually works this time? I have no idea how to test this myself.
  • edited November 2015 Posts: 48
    buckbundy - i will test this today and report back

    Regards
    Post edited by p0800122 on
  • Posts: 515
    Thanks p0800122. Looking forward to hearing more from you on this. At this stage I trust you far more than I do PIA. They supposedly paid Perfect Privacy a $5,000 reward for finding this port forwarding leak vulnerability in the first place.

    By the time this is all over I think they should give you a comparable reward too. Oh, wait! We know that will never happen. PIA only did so with Perfect Privacy for marketing hype reasons. They'd never get any mileage out of paying you. All you've done is brought them embarrassment. Just know that the rest of us are very grateful for your efforts.
    p0800122 said:
    buckbundy - i will test this today and report back

    Regards

  • tomeworm said:
    Thanks p0800122. Looking forward to hearing more from you on this. At this stage I trust you far more than I do PIA. They supposedly paid Perfect Privacy a $5,000 reward for finding this port forwarding leak vulnerability in the first place.

    By the time this is all over I think they should give you a comparable reward too. Oh, wait! We know that will never happen. PIA only did so with Perfect Privacy for marketing hype reasons. They'd never get any mileage out of paying you. All you've done is brought them embarrassment. Just know that the rest of us are very grateful for your efforts.
    p0800122 said:
    buckbundy - i will test this today and report back

    Regards

    Yeah their priorities are really in question. AirVPN looks a whole lot better.

  • tomeworm said:
    Support said:
    Dear Customers,...............

    Sincerely,
    PIA
    Thanks PIA for this information update. Thanks also for acknowledging that there is still a problem with port forwarding leakage and that you'll be fixing it. Hopefully soon?

    PIA please do something about this robert_lazaar, along with his fellow harassers in crime, sock puppet personalities MahmoudAbdul, TiffanyNichols, Marco_Wollank, DerekZimmer and perhaps others. If you check their comments you'll find that many of them are utterly insane. By your complete lack of regard for how they habitually harass other PIA member like me they're serving to destroy PIA's credibility. Anytime someone posts legitimate concerns or complaints one or more of them shouts it down. They're even posting in the comment section of torrentfreak. They're making PIA look absolutely terrible. For your own sakes you really need to do something about them.
    Say this a million times, and PIA does nothing about it. Very unprofessional service they have here.
  • Posts: 515
    lrryie said:
    ....is far more deserving of trust than some random person alias of "p0800122" that only tells you what you want to hear. 

    So, how many times are you planning to post under this and your other forum aliases trying to add the appearance of quantity support for your argument false statements?
    1) Yes, I trust "some random person alias" who obviously is using the alias of their PIA account number, which certainly doesn't make them an "alias" to PIA. "Irryie" is an alias, isn't it? Unless, that is, it happens to be the name on your birth certificate. Not that I care one way or the other. You're entitled to use an alias here, as am I, but to accuse p0800122 of using an alias is particularly absurd in light of the fact that everyone here is using one too, myself included. No one cares but you.

    2) I have no other forum aliases on this PIA forum that I have ever used. Feel free now to call me a liar, as you so reflexively resort to. I could care less.

    The behavior and tactics of you and your buddies robert_lazar, MahmoudAbdul, Marco_Wollank, etc. bear striking resemblance to those of Scientologists. Needless to say I can't help but wonder if ya'll are current or former Scientologists. That would explain everything.

    I once had a friend who'd been very high in the rank of the Scientology cult, actually working in the Sea Org. He'd been a Scientologist for many years, but after enduring a great deal of psychological and even physical abuse he finally came to his senses and escaped. Tragically to this day he still can sometimes act very much like a Scientologist, with all its associated pathologies. As a result of that I had to end our friendship. You and your cultish buddies remind me very much of him and the few other Scientologists I've run across.

    I recommend you watch the HBO special "Going Clear." If you're the least bit introspective you'll see some of yourself in it. I'd also recommend the BBC Panorama report on Scientology. In it you'll discover that Scientologists use the same psychological warfare tactics of projection, button pushing, and shouting down their opposition that you and your buddies do. I hope someday you and your pals free yourself from the cultish pathology that so clearly enslaves you, just as so many thousands of Scientologists have freed themselves from the mind-control cult of Scientology.
  • edited January 2016 Posts: 48
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited January 2016 Posts: 297
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited January 2016 Posts: 1,103
    This post has been removed due to containing a quote that violates our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • Is anyone going to test the latest client patch instead of all this pointless bickering? Like I said earlier, if I knew how to test it I would...
  • i chated with with someone from pia this morning they have a new app v53 that just cameout that fixed the issue with port forwarding leak.


  • Posts: 515
    floraluca said:
    i chated with with someone from pia this morning they have a new app v53 that just cameout that fixed the issue with port forwarding leak.
    Thank you. I like you hope that it really is fixed this time. It's deeply disappointing to have been told that it was fixed 4 days ago only to discover that it wasn't. Then on top of it all we as PIA customers find ourselves being barraged with insults by psychotic PIA cult-boys. This forum is such a dreadful place.
  • tomeworm said:
    floraluca said:
    i chated with with someone from pia this morning they have a new app v53 that just cameout that fixed the issue with port forwarding leak.
    Thank you. I like you hope that it really is fixed this time. It's deeply disappointing to have been told that it was fixed 4 days ago only to discover that it wasn't. Then on top of it all we as PIA customers find ourselves being barraged with insults by psychotic PIA cult-boys. This forum is such a dreadful place.
    So true!
  • edited November 2015 Posts: 48

    lrryie said:
    .... anyway , I am still waiting for "p0800122", as "p0800122" guaranteed, to 'prove' my IP leaks. (https://www.privateinternetaccess.com/forum/discussion/comment/34632/#Comment_34632). I guess i'll be waiting a long time because he can't prove diddly, he can only copy-n-paste the works of others.

    No i didn't copy and paste anything, that was me who done the testing, you should message Support - they will tell you who it was. You really just made yourself look like a complete fool undermining a serious security hole.
    Post edited by p0800122 on
  • edited January 2016 Posts: 297
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited January 2016 Posts: 48
    This post has been removed due to containing a quote that violates our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice

    Post edited by Goldstein on
  • edited November 2015 Posts: 21
    So where is the proof that anyone is logging in here with multiple forum names? Seems a lot of assuming and bandwagon jumping is going on and I don't see much fact passed around. That's a lot of work going to the trouble of creating multiple accounts with different names and email addresses. Seems like a big waste of time to me and dunno why anyone would bother doing it unless they just have a hell of a lot of time on their hands or just pretty weird.

    As far as PIA, I've been using it over a year and have been satisfied with it other than slow speeds sometimes (but that's going to happen using any vpn). PIA did say other VPNs were affected by this and not just them so this was not specific to only PIA. They notified everyone and got it fixed. Myself I'm not making it a big deal but I see apparently some are. If some don't like it they are always free to move to something else. If I didn't like it, I would (I'm not going to continue paying money for something I'm not satisfied with). That's my cent and a half and no I don't use any other forum names here (or use multiple forum names in any other forums I frequent for that matter).
    Post edited by MikeO on
  • edited January 2016 Posts: 48
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • edited January 2016 Posts: 14
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • The new installer is detected as IDP.ARES.Generic can't install this >.< can you do something about this? It's very fishy even when you say it's just false alarm. I think this should not happen.
  • edited January 2016 Posts: 297
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • If I understand correctly, this security issue does not affect me as Port Forwarding is not enabled in my PIA settings, which is a big relief.


    Secondly, coming to these forums to try to understand what risk I may have been exposed to, has been a disappointing experience due to the attitudes of some of the people here.  I don't know what people hope to achieve with their "This product is perfect!  Everyone who points out a serious flaw is just a hater and should shut up!" attitudes.  It's people like this who put themselves and everyone else at extra risk.  It is beyond me why anyone who cares enough to get a VPN would then be so stupid as to stand in the way of a serious issue being identified and rectified.  Instant loss of all credibility by those people.


    Thank you PIA for achieving the right outcome in the end.  Hopefully next time you'll be more thorough before announcing "Problem Solved" 

  • edited December 2015 Posts: 297
    Guys...PIA emailed their customers, explained the situation basically and technically, and apologized to everyone for their mistake...I thought that was classy...what more do you people want... ( if you haven't seen the email, check the inbox of the email you registered with )
    Post edited by moshbeast on
  • edited December 2015 Posts: 57
    moshbeast said:
    Guys...PIA emailed their customers, explained the situation basically and technically, and apologized to everyone for their mistake...I thought that was classy...what more do you people want... ( if you haven't seen the email, check the inbox of the email you registered with )

    can you confirm the day it was sent.i just recently deleted some emails i had in the past.because the one's i still have i cant find there email that they sent.thanks

    Post edited by floraluca on
  • edited January 2016 Posts: 515
    This post has been removed due to violating our Terms of Service. 


    And the direct link to our updated ToS here: https://www.privateinternetaccess.com/forum/home/termsofservice
    Post edited by Goldstein on
  • Posts: 9
    Does anyone know a way to test if my IP is leaking as a result of this vulnerability?

    I don't use the PIA software (I use Viscosity), but I do run a script (https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users/p1) that uses a PIA API for detecting the port forwarding port number (and then I assign that port to Transmission). I'm curious as to if I'm leaking my IP as a result?

    Thanks!
Sign In or Register to comment.