Security Flaw Leaks VPN Users IP

In a post-Snowden era, more people are turning to anonymity services such as VPN to hide their online identity and boost their internet security. A virtual private networks (VPN) is a network that allows users to create a secure network connection over a public or private network.

Recently TorrentFreak reported a massive security flaw affecting WebRTC-supporting browsers such as Firefox and Chrome. Real-time-communication, or RTC, was developed to help certain types of connections between browsers to work without the need of additional plugins.

Also Read: Air Gap Won’t Secure Your Computer Anymore

VPN IP-Addresses Logged

With a few lines of codes, websites sent requests to a STUN server and logged users’ VPN IP-addresses as well as the users home IP-address, the one that’s supposed to be hidden. Websites can even request the users local network address as well. This isn’t the first-time people have worried about the security of WebRTC.

The good news is that WebRTC uses javascript requests to get your IP address and because of this the vulnerability is an easy fix. Chrome users can install the WebRTC block extension or ScrriptSafe. Both reportedly block the vulnerability. Firefox users need to block the request with the NoScript add-on. Alternatively you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

People using Canary, Nightly, and Bowser, are also vulnerable, The local IP address leaks should not be a problem for Internet Explorer or Safari users unless they have manually added WebRTC.

GitHib published a demo by Daniel Roesier that allows you to check if you are affected by this security flaw. In a talk with TorrenFreak, TorGuard’s CEO mentioned another fix for the vulnerability.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP. During our testing, Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,”

This is a good reminder that even when you think you’re safe, it’s better to double and triple check.

Tags:
Author:
A UNC Chapel Hill graduate, blockchain enthusiast and analyst. I have a background in programming and IT, strong studies in econ, stats and game theory. I'm interested in online privacy and privacy laws.