Now Reading
Security Flaw Leaks VPN Users IP

Security Flaw Leaks VPN Users IP

by Carter GraydonFebruary 4, 2015

In a post-Snowden era, more people are turning to anonymity services such as VPN to hide their online identity and boost their internet security. A virtual private networks (VPN) is a network that allows users to create a secure network connection over a public or private network.

Recently TorrentFreak reported a massive security flaw affecting WebRTC-supporting browsers such as Firefox and Chrome. Real-time-communication, or RTC, was developed to help certain types of connections between browsers to work without the need of additional plugins.

Also Read: Air Gap Won’t Secure Your Computer Anymore

VPN IP-Addresses Logged

With a few lines of codes, websites sent requests to a STUN server and logged users’ VPN IP-addresses as well as the users home IP-address, the one that’s supposed to be hidden. Websites can even request the users local network address as well. This isn’t the first-time people have worried about the security of WebRTC.

The good news is that WebRTC uses javascript requests to get your IP address and because of this the vulnerability is an easy fix. Chrome users can install the WebRTC block extension or ScrriptSafe. Both reportedly block the vulnerability. Firefox users need to block the request with the NoScript add-on. Alternatively you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

People using Canary, Nightly, and Bowser, are also vulnerable, The local IP address leaks should not be a problem for Internet Explorer or Safari users unless they have manually added WebRTC.

GitHib published a demo by Daniel Roesier that allows you to check if you are affected by this security flaw. In a talk with TorrenFreak, TorGuard’s CEO mentioned another fix for the vulnerability.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP. During our testing, Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,”

This is a good reminder that even when you think you’re safe, it’s better to double and triple check.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Willieaames

    Just wanted to say… For Chrome users, desktop or
    hAndroid or any device/system with Chrome browser …. although the
    extension on the desktop version and the setting in the android version
    have the desired effect of disabling for WebRTC, it does not keep
    Google or “things Google” from discovering your real IP address. I can’t
    say exactly due to an NDA still in force from my days of working for
    Google so i’ll just say that WebRTC is not the only way for your real IP
    address to be discovered while on Ipvanish VPN and the safe bet is to remove the Chrome browser from the system/device. One day people will wake up and
    realize one of the greatest threats to their privacy and security on
    line, their personal information and on line activity, is, and has been
    for a while, Google (and other companies as well).

  • David Clark

    It is better to use a paid VPN which is more secure in many ways as all the online internet activities can not be monitored by anonymous and no cyber attacks on your account. It basically protects all of the users to secure in all ways and on the other side user can access blocked content in any region by just changing IP address. It is all depends on the user as what they need. I am using VPN in USA to access content from UK region which is limited here in US for users.