This vulnerability sounds pretty scary...at first.
An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable. The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.
There are a few things that would need to happen in order for this vulnerability to work.
- You'd have to connect to a malicious WiFi network.
- Local Network Sharing would need to be turned on (most VPN clients have this off by default).
- The VPN client would need to allow connections to non-local IP addresses that are advertised as local by the DHCP server. Which is not hard to verify if the client is open source.
- If the site you are browsing is secure (https://) then the only data leaked is the domain of the site (not great, but not catastrophic).
However, given a large enough sample group an attacker could find decent number of users who would meet this criteria.