The ISP admitted to ISPreview.co.uk that the issue, which affects its popular Hub 3.0 routers, is still active, affecting some customers who use a VPN to try and keep themselves safe online.
The flaw can apparently allow threat actors to access sensitive information, including a user’s IP address, even if they are using a VPN.
The issue was first spotted back in October 2019 by security researchers at Fidus, with Virgin Media (as it was known before its merger with O2) acknowledging the issue shortly after. However, the company later asked Fidus to hold back on publicly declaring any information on the issue until Q1 2021.
Fidus says it contacted Virgin Media for updates several times, but after no reply, declared the flaw, known as CVE-2019-16651, in March 2021.
In its declaration, Fidus went into more detail on the attack, noting that it was a DNS rebinding attack, which can be utilised to reveal a user’s actual IP address simply by visiting a webpage for a few seconds.
“During our testing, it was possible to unmask the true IP address of users across multiple popular VPN providers – resulting in complete deanonymisation,” the company added.
The company did add that the attack did not appear to affect all VPN providers, only those which block access to local IP addresses by default.
In response to an email from TechRadar Pro, Virgin Media O2 said that the issue was fairly niche, and would not affect the vast majority of its customers, most of whom do not use a VPN.
“We are aware of a highly technical issue which, in very particular circumstances, could impact customers using a VPN while accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low,” a Virgin Media spokesperson told TechRadar Pro.
“We have strong security measures in place to protect our network and keep our customers secure. We are not aware of any customers being affected by this issue and they do not need to take any action.”