Mullvad Addresses VPN Server Fingerprinting Issue That Could Link User Activity Across Servers
Published
Key Takeaways
- Mullvad fingerprinting issue: Websites could potentially link users switching VPN servers through matching exit IP assignment patterns.
- User guidance: Mullvad recommends re-logging before server changes to regenerate WireGuard keys and internal addresses.
- Fix rollout: New exit IP assignment system aims to prevent cross-server activity correlation between VPN connections.
Privacy-focused VPN provider Mullvad is rolling out changes to address a fingerprinting issue that could allow websites and online services to associate a user’s activity across different VPN servers.
The company said it became aware of the issue on May 15 and has since detailed how the behavior works, who may be affected, and what mitigation steps are being introduced.
According to Mullvad, the issue does not expose a user’s identity or reveal personal information. However, under certain conditions, it may allow websites or online services to infer that the same user who previously connected through one VPN server later connected through another server in the network.
How the Issue Could Link VPN Connections
Mullvad explained that its VPN servers assign exit IP addresses to users for both IPv4 and IPv6 traffic. Since multiple users share these addresses, each server operates with a range of exit IPs instead of relying on a single address.
Each user device also connects using a unique WireGuard encryption key along with an internal tunnel address, which is often associated with that key.
The fingerprinting issue occurs when a user switches between VPN servers while retaining the same internal tunnel address. In such cases, the user may receive exit IP addresses that occupy a similar relative position within each server’s available IP range.
For instance, if a user is assigned an exit IP positioned around 40% into the address range on one server, they could receive a similarly positioned IP when connecting to another server. Mullvad said this pattern could allow websites or services to make educated guesses that both connections belong to the same user.
The company clarified that the behavior does not provide definitive identification because many users still share the same exit IP addresses. Even so, it acknowledged that the pattern may be sufficient in some cases to link activity between servers.
Mullvad described the issue as a form of fingerprinting, where devices or users are distinguished using characteristics that appear unique or nearly unique. The company also pointed out that fingerprinting remains a broader challenge across several privacy-related technologies, including web browsers and traffic analysis systems.
Mullvad Recommends Re-Logging Before Switching Servers
The VPN provider said users only need to take additional precautions if they switch VPN servers specifically to avoid having activity linked between connections.
For those users, Mullvad recommends logging out and logging back into the Mullvad app before changing servers. This process regenerates the WireGuard key and changes the internal IP address, reducing the likelihood of correlation between VPN sessions.
New Exit IP Assignment Method in Testing
Mullvad confirmed that it is testing a new method for assigning exit IP addresses to users. The updated system is designed to ensure that the exit IP used on one VPN server provides no information about the exit IP assigned on another server or to another user on the same server.
The company said the changes are currently undergoing testing and are expected to be gradually deployed across its VPN infrastructure in the coming weeks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular