A security researcher has published exploit code for AtlasVPN for Linux, which could enable anybody to disconnect a user and reveal their IP address simply by luring them to a website.

AtlasVPN is a “freemium” virtual private network (VPN) service owned by NordVPN. Despite being just 4 years old, according to its website, it’s used by more than 6 million people worldwide.

On Sept. 1, after receiving no response from the vendor, an unidentified researcher (referred to by their Full Disclosure mailing list username, “icudar”) posted exploit code for AtlasVPN Linux to the Full Disclosure mailing list and Reddit. By simply copying and pasting this code to their own site, any odd hacker could disconnect any AtlasVPN user from their private network, and reveal their IP address in the process.

“Since the entire purpose of the VPN is to mask this information, this is a pretty significant problem for users,” says Shawn Surber, senior director of technical account management at Tanium.

How the AtlasVPN Exploit Works

The issue with AtlasVPN’s Linux client boils down to a lack of proper authentication.

“The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication,” icudar wrote in his online posts. “This port can be accessed by ANY program running on the computer, including the browser.”

Surber guesses that “this vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing (CORS) protection would prevent it.” CORS is a mechanism by which one domain can request resources from another.

As other researchers have pointed out, though, the exploit easily slips past CORS by sending a type of request it does not flag. “CORS is designed to prevent data theft and loading of outside resources. In this scenario, the attack uses a simple command, which slips through the CORS gauntlet and, in this case, turns off the VPN, immediately exposing the user’s IP and therefore general location,” Surber explains.

What This Means for VPN Users

To test the extent of the vulnerability, icudar wrote malicious JavaScript that would request port 8076 and successfully disconnect the VPN, then request…