This is quite alarming, although there are easy fixes (see below). Unfortunately, most users will not be aware of the problem, and will therefore not take the necessary measures to fix it.
Readers can check to see if their browser is vulnerable by visiting https://diafygi.github.io/webrtc-ips/ .
The makers of the webrts-ips tool describe the issue in some detail on its GitHub page,
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.’
Type ‘about:config’ into the URL bar (and click through ‘I’ll be careful I promise!’)
Search for ‘media.peerconnection.enabled’
Double-click on the entry to change the Value to ‘false’
The Tor Browser (which is based on Firefox) has this preference set to ‘false’ by default. Although when we tested for the vulnerability in Android our real IP was not displayed, we would recommend setting ‘media.peerconnection.enabled’ to ‘false’ in Firefox for Android too.
Install the WebRTC Block add-on from the Chrome Store.
NoScript is admittedly a pain to use, as it requires a lengthy ‘training’ period before it stops throwing a panic at every website visited, but when it comes to blocking malicious scripts of all kinds, it simply cannot be beaten.
Update 9 February 2015: although it appeared to work when we first tested it, it seems the WebRTC Block extension does not fix the problem when using Chrome in Windows (only). The only solution for Windows Chrome users is to install the ScriptSafe extension (which works in a similar way to NoScript for Firefox).
‘WebRTC Block extension is no longer efficient in blocking WebRTC IP leaking. It’s been like this for a week now, since the guys who made the exploit updated it to by-pass the extension blocking. Our SecureProxy extension is blocking it efficiently though and was updated now (v 1.5.9) to protect against the latest WebRTC exploit code, too. We will probably make another update as there’s something we don’t like about the code at this moment, but we wanted to have it rolled-out ASAP.‘
We are particularly interested to note that, according to VPN.ac, the WebRTC Block extension did initially work, but that the exploit was updated to by-pass it.