According to a report issued yesterday by the VPN provider Perfect Privacy, a bug affecting some VPN services can be exploited to find out the user's actual IP address. This is a big problem, especially for those who use VPN services for BitTorrent downloads, as they may get into some legal trouble. According to specialists in the field, it's very likely that this type of attack will be (and probably has been) heavily used by copyright-litigation companies to prosecute torrent users.
In order to successfully exploit this bug, the attacker needs two conditions. First, he or she must know what VPN service the victim is using in order to gain access to his / her access point, Secondly, the victim must be lured to connect to a resource which belongs to the attacker (an image or a video will work just fine). Once you've accessed the compromised resource, the hacker or legal team will be able to see your real IP and thus instantly find out exactly where you're browsing from.
Talking about the bug, Perfect Provider's representatives wrote: "The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work." Before uploading this information, the company tested out 9 VPN services and found out that 5 of them had the respective vulnerability. The "bugged" services have been recently notified of the situation, so probably we won't know the names of the VPNs that put us in jeopardy until they would have had some time to fix the issue.
Just so we're clear, I would suggest taking this news with a gram of salt, as I'm not yet completely sure that this is an actual situation and not just some annoying way of advertising a specific product. In case security and privacy are of real interest to you, you may also want to find out how to safely use public Wi-Fi networks or learn how to directly connect to a VPN.