ExpressVPN

Browser security hole allows websites to determine real IP even when using VPN

Thanks to discussions on reddit (here and here) we have become aware of a security hole in Firefox and Chrome (Android versions of the browsers appear unaffected) that allows websites to execute WebRTC JavaScript code within visitors’ browsers that can determine their ‘real’ IP, even when using VPN.

This is quite alarming, although there are easy fixes (see below). Unfortunately, most users will not be aware of the problem, and will therefore not take the necessary measures to fix it.

Readers can check to see if their browser is vulnerable by visiting https://diafygi.github.io/webrtc-ips/ .

WebRTC

The makers of the webrts-ips tool describe the issue in some detail on its GitHub page,

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

Fixes

Firefox

Type ‘about:config’ into the URL bar (and click through ‘I’ll be careful I promise!’)

Search for ‘media.peerconnection.enabled’
Double-click on the entry to change the Value to ‘false’

WebRTC firefox fix

The Tor Browser (which is based on Firefox) has this preference set to ‘false’ by default. Although when we tested for the vulnerability in Android our real IP was not displayed, we would recommend setting ‘media.peerconnection.enabled’ to ‘false’ in Firefox for Android too.

Chrome

Install the WebRTC Block add-on from the Chrome Store.

It should also be noted that although browser add-ons such as Adblock Plus and Ghostery do not block this vulnerability, using NoScript will.

NoScript is admittedly a pain to use, as it requires a lengthy ‘training’ period before it stops throwing a panic at every website visited, but when it comes to blocking malicious scripts of all kinds, it simply cannot be beaten.

Update 9 February 2015: although it appeared to work when we first tested it, it seems the WebRTC Block extension does not fix the problem when using Chrome in Windows (only). The only solution for Windows Chrome users is to install the ScriptSafe extension (which works in a similar way to NoScript for Firefox).

Update 10 10 February 2015: We have spotted the following  statement by Romanian VPN outfit VPN.ac, posted on its Facebook page,

WebRTC Block extension is no longer efficient in blocking WebRTC IP leaking. It’s been like this for a week now, since the guys who made the exploit updated it to by-pass the extension blocking. Our SecureProxy extension is blocking it efficiently though and was updated now (v 1.5.9) to protect against the latest WebRTC exploit code, too. We will probably make another update as there’s something we don’t like about the code at this moment, but we wanted to have it rolled-out ASAP.

We are particularly interested to note that, according to VPN.ac, the WebRTC Block extension did initially work, but that the exploit was updated to by-pass it.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


13 responses to “Browser security hole allows websites to determine real IP even when using VPN

  1. What about opera? it leaks my real ip.
    Safari seems secure. My firefox wasn’t leaking before i changed media.peerconnection.enabled to false but did it anyway to be sure.

    1. Hi boris,

      The problem manifests mainly on Windows machines, so you probably have nothing to worry about. Have you tried using the tool discussed above (or visiting ipleak.net)? If you real IP is being being leaked, then you can switch to using Firefox for Mac.

  2. Anybody using Chromium/Chrome please check this vulnerability at ipleak.net. Even when using the extention WebRTC Block it will still leak ips.

    1. Hi Pogue,

      I did check this when I wrote the article, and no DNS leaks showed up. I have just checked again however, and you are correct. The best advice is therefore to stick with Firefox (a superior choice privacy-wise in our opinion anyway) and implement the fix described in the article (which I will update now). Thanks.

    1. Hi Ben,

      This issue only affects Firefox and Chrome – not Microsoft Internet Explorer or other browsers. I should however point out that in every other way IE is not a secure browser. If in doubt, just visit the link mentioned in the article to see if a given browser leaks its real IP address.

  3. Thank you very much, I made the change. I do use NoScript, and sincerely doubt that any of my Internet usage could ever get me in trouble anyway. But it’s a matter of principle.

  4. Yup, was definitely surprised when I saw my real IP glowing in front of me. Thanks for bringing our attention to this and indicating how to fix it. It’s this JavaScript again… Just problems with that thing…

Leave a Reply

Your email address will not be published. Required fields are marked *