Skip to Content
Technical Articles
Author's profile photo marko phillips

VPN Losing It’s Security Over a New Threat VORACLE

While the internet has shaped the way we communicate, its ease of access and convenience comes with a price. WIthout any online protection, we leave ourselves open to frauds, theft and property theft. Without a doubt, privacy and vigilance go hand in hand to keep yourself safe. That is the subtle reason online privacy tools are an extream need to protect your identity and data online.

By nature, the VPN is a source of security and reliance for multiple companies and individuals fighting the war against global geo-restrictions. But with a recent glitch, VPNs are under serious heat. The history of a Virtual Private Network VPN can be vouched for as it adds an extra layer of security to our networks and with time the encryption and protocols used were tweaked to withstand any possible hacks or attacks until VORACLE Happened.

VORACLE is a recently developed threat that surfaced the forums making multiple VPN services alarmed with its presence. Let’s look under the hood and find how this is a possible threat and where will it impact the most.

What is a VORACLE Attack?

Tech security researcher Ahamed Nafeez came with this new attack at recent Black Hat and DEF CON security conferences. VORACLE is a mix of BREACH, CRIME, and TIME. These are all cryptographic attacks that decrypt HTTP traffic delivered through VPNs in-built OpenVPN protocols. The attack takes advantage as the OpenVPN uses the default setting to compress all data before it encrypts it with TLS.

This is penetrated by repeatedly adding plain text information data packets before the compression happens and then recovers the flowing traffic. With this, the hacker can measure the packet length to compare it to brute force potential value. This a gist, it will allow obtaining session cookies or session data of the user.

Because the VORACLE makes use of plain text information inserted into the data before encryption happens and can see it after it has been encrypted. This is often derived often by engaging users to HTTP websites which are either controlled by the attacker or where the malicious code will be implanted. This is further avoided if the user is using Chrome as it only recognizes and allows HTTPS requests. That being said, it would be hard for VORACLE attack to make its way successfully.

How the Attack Takes Place – Decrypt HTTP traffic sent via VPNs

Initiating a VORACLE attack accounts for different variables that are not easily implemented but for starters, the attacker and the user have to be on the same network, and the target should be on an ‘HTTP’ connection. But if the target is using Chrome browser, then that can be a problem as Chrome rejects HTTP requests and only accept HTTPS.

Next, the attacker engages the target to HTTP website which is controlled by the attacker and the target should be involved with OpenVPN while the compression takes place. The HTTP website will be injected with variable data to the encrypted stream of data between the VPN and the browser. After the variables are set in place, the attacker can easily take charge of the VPN account, and it’s logging sessions until it is disconnected. Within this takeover period, the hacker/attacker can easily change password depending on the amount of security the VPN provider has enabled.

What is the Solution to VORACLE?

Before VORAClE attack happens, few things need to be adjusted and taken care of, and it is possible to stop the attack from taking place.

Avoid All HTTP Websites

VORACLE works only on HTTP websites as HTTPS traffic is immune to VORACLE. We open and click on multiple websites or pages on a daily basis without knowing the source and credibility of the site. VORACLE attacks don’t function on the data which is already encrypted before the compression; this allows the HTTPS websites to stay secure.

Change OpenVPN Protocols on all devices

The attack is designed to penetrate and work on OpenVPN protocol as the people behind this project decided to add a clear warning in the documentation in respect to the dangers of using pre-encryption documentation. They did not change the OpenVPN’s default setting as its process is part of the VPN tunneling. Instead, switch off this protocol in your VPN provider which allows this option.

Make use of Google Chrome/Chromium as a Fail Safe

Different VPNs have different ways of coping with the protocols. Some of the protocols are mandatory, and you cannot switch them off no matter what. If that is the case, then you can use Google Chrome/Chromium as these browsers split HTTP requests defining them into header and body and not including them as a single data packet.

Words of Wisdom

Having a VPN can be relieving but with VORACLE, things have taken a U-turn and now seems like a VPN need to step up its security protocols. With the recent VORACLE threat, multiple VPN providers are shaken by it and trying to implement new changes to prevent it. Until your VPN provider provides a solid proof regarding the issue. Why not safeguard your privacy yourself?

Go through the blog and make your VPN security VOACLE proof.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo James Smith
      James Smith

      Hi, thanks for sharing this information with us..!! I think the aim of the attack is to leak interesting secrets. This can be any cookies, pages with sensitive information, etc.

      But there are simple ways to prevent this. For starters, some VPN services/clients allow users to change the underlying VPN protocol, allowing users to switch to a non-OpenVPN protocol.

      Second, users can stay away from HTTP websites, as HTTPS traffic sent via any VPN service/client is immune to VORACLE attacks.

      Third, the attack does not work in Chromium-based browsers, where HTTP requests are split into multiple parts (header and body). Non-Chromium browsers, such as Firefox, are vulnerable because they send HTTP requests data in one big packet. This means that even if you access an HTTP site via an OpenVPN-based VPN service/client via Chrome, the VORACLE attack won’t work.

      Thanks & Regards

      Author's profile photo marko phillips
      marko phillips
      Blog Post Author


      It's not sure what is the aim of the attack, but it is certain like all other attacks, this will cause serious problems for VPN users.

      I appreciate your concern and the solution you suggested. The solution you pointed is already present in the heading “What is the Solution to VORACLE?” and they have been explained in great detail.

      Author's profile photo Marco Hammel
      Marco Hammel

      Hi Marko,

      Thanks for sharing and creating awareness! I'd like to add and point out, that VORACLE attack is a choosen plaintext attack that is not limited to the HTTP protocol. Any protocol which is not encrypted on the application layer but tunnels through VPN could be used  to carry out the attack. This can for example include the RFC or DIAG protocol when not being secured by SNC. As an attacker you can just drop a SAP GUI shortcut link directing the user to the attacker's controlled SAP system responding the attackers plaintext. Most organization don't restrict outbound traffic for these protocols nor have they secured they SAP GUI installations.

      Just to expand the focus of awareness...



      Author's profile photo Manraj Clegg
      Manraj Clegg

      Hey, Marko! Thank you so much for your article, I have found it extremely interesting!


      Author's profile photo Hillary Brix
      Hillary Brix

       It was hard to understand VPN protocol.

      Author's profile photo raj ram
      raj ram

      Thanks for sharing all these information..all your hardwork is much appreciated. check here

      Author's profile photo tanvi AGARWAL
      tanvi AGARWAL

      yes, facing the issue continuously while opening some of the apps and websites like sportsdio and live score apps.