A Reddit user named ‘Educational-Map-8145’ published a PoC exploit on Reddit that abuses the Atlas VPN Linux API to reveal a user’s real IP addresses.

This PoC creates a hidden form that is automatically submitted by JavaScript to connect to the http://127.0.0.1:8076/connection/stop API endpoint URL.

When this API endpoint is accessed, it automatically terminates any active Atlas VPN sessions that hide a user’s IP address.

Once the VPN connection is disconnected, the PoC will connect to the api.ipify.org URL to log the visitor’s actual IP address.

This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.

Bill Toulas, writing for BleepingComputer

As mentioned many times, VPN services are great for hopping to other countries to circumvent geo-fencing websites.

However, if you’re relying on these services for privacy, you’re SOL.