All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

GrapheneOS patches Android VPN IP leak vulnerability that Google hasn't fixed

By

Alex Lekander

22d ago· 3 min readenNews
Bagel score 66 of 100
66/100
Toasty
Bagelometer

Warm and crisp on the edges. A bagel with a bit of bite.

Score66TypenewsSentimentnegative

Summary

GrapheneOS has released an update fixing a recently disclosed Android VPN bypass vulnerability (affecting Android 16) that leaks users' real IP addresses even when "Always-On VPN" and "Block connections without VPN" protections are enabled. The flaw stems from a new QUIC connection teardown feature in Android's networking stack, discovered by security researcher "lowlevel/Yusuf." GrapheneOS patched it by disabling the registerQuicConnectionClosePayload optimization, while Google has not yet addressed the issue.

Key quotes

· 4 pulled
GrapheneOS has released a new update that fixes a recently disclosed Android VPN bypass vulnerability capable of leaking a user's real IP address.
The leak happens even when Android's 'Always-On VPN' and 'Block connections without VPN' protections were enabled.
The issue, disclosed last week by security researcher 'lowlevel/Yusuf,' affected Android 16 and stemmed from a newly introduced QUIC connection teardown feature in Android's networking stack.
In its latest release, GrapheneOS says it has 'disable[d] registerQuicConnectionClosePayload optimization to fix VPN leak'
Snippet from the RSS feed
GrapheneOS has released a new update that fixes a recently disclosed Android VPN bypass flaw capable of leaking a user’s real IP address.

You might also wanna read

Le Monde identifies French aircraft carrier location via sailor's public Strava fitness data

Le Monde journalists identified a French Navy officer on the aircraft carrier Charles de Gaulle through his public Strava fitness app profil

lemonde.fr·2mo ago

Flock Safety's AI Surveillance Cameras Found Exposed to Open Internet Without Password Protection

A journalist discovered that Flock Safety left at least 60 of its AI-powered Condor PTZ surveillance cameras exposed to the open internet wi

404media.co·5mo ago

New phishing campaign targets Signal users to steal chat backup recovery keys

Hackers are targeting Signal users in a new phishing campaign that attempts to steal their chat backups. The attackers pose as Signal's supp

techcrunch.com·15h ago

AI technology challenges NTSB's ability to keep cockpit voice recordings private

The National Transportation Safety Board (NTSB) temporarily took down its public docket system after discovering that digital images of cock

npr.org·22h ago

AI audio reconstruction forces NTSB to rethink cockpit recording privacy policies

The National Transportation Safety Board (NTSB) temporarily took its public docket system offline after discovering that digital images of c

n.pr·1d ago

Pentagon Confirms Adversaries Using Commercial Phone Location Data to Target US Troops

The Pentagon was warned for nearly a decade that commercial location data from mobile phones could be exploited by adversaries to track US m

wired.com·1d ago