Mullvad addresses exit IP fingerprinting issue linking user activity across VPN servers

Mullvad has disclosed a fingerprinting issue that can allow online services to correlate user activity when users switch between different VPN servers. While this flaw does not expose the real identity of users, it can enable websites or other services to identify that the same person is connecting from multiple VPN exit nodes. This linkage undermines the expected anonymity for those who frequently switch servers to avoid being associated with their past activity.

The root cause involves the reuse of internal tunnel addresses assigned during connection setup. When a user connects to a new server but retains the same internal tunnel address, the system often assigns a similar exit IP from the new server’s range. This technical limitation increases the chances that activities from different servers can be linked, even though many users simultaneously share exit IPs on each server.

To address this risk, Mullvad advises users who want to prevent cross-server linkage to log out and back into the Mullvad app after switching servers. This action regenerates the WireGuard encryption key and assigns a fresh internal IP address.

Looking ahead, Mullvad is testing a new exit IP assignment method that will eliminate the linkability across servers. The change is expected to roll out to VPN servers over the next few weeks.