Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.

What's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.

Utter garbage.

Source: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/

Proof below - used AtlasVPN's latest Linux client, version 1.0.3.