Chrome & Firefox Users Are Leaking Their IP Address…Even While Using a VPN

conf-com-usrThe only way you can guarantee your privacy while using a computer or mobile device, is to just disconnect them from the network. Or become a security expert. But if you must be online and want (or need) to be as secure as possible, you won’t want to use Google’s Chrome or Mozilla’s Firefox browsers until you make some changes since your IP address can be easily discovered.

You may know about (and already use, as I do) AdBlockPlus or Ghostery. These browser add-ons are used to block advertisements and also let you control who can track you by blocking services and advertisers from doing so.

So imagine how stunned I was to learn that the very cool and new WebRTC technology (for using video, audio and screensharing right inside your web browser) can leak your internet (IP) address.

Advertisers, and tracking services, love to set tracking cookies that map to your IP address. Then they can follow you around as you use that browser to surf the internet. Intelligence agencies love to discover the IP address of someone since they then can go right to the spot from where they’re connecting.

This flaw in WebRTC is especially troublesome since it would compromise someone whistleblowing, in a country with an oppressive regime in power, businesses communicating online with WebRTC, or anyone legitimately wanting their online activities to be private…especially when they believe they are safe while using a VPN.

Using Chrome or Firefox? Click here to check and see if you are vulnerable.

Test your browser here. If you see Is WebRTC Enabled ! true” appear, you are vulnerable. If you are vulnerable, click the link on that page that says, “How to Disable WebRTC” and follow the instructions.

That IP address leakage is bad enough, but what is worse is that your IP address leaking is NOT able to be detected by any current plugins (e.g., Ghostery) or even the developer tools in Google’s Chrome or the Mozilla Firefox browsers (the primary ones that support WebRTC currently).

ThreatPost has this excellent article on this leak problem:

A recently publicized hole in WebRTC, a protocol for web communication, is revealing the local IP addresses of users, even those who go to extra lengths to hide theirs by using a virtual private network.

Daniel Roesler, a San Francisco-based researcher who’s dabbled in encryption, posted a demonstration on GitHub last week to illustrate how the vulnerability works.

Roesler’s proof-of-concept shows how websites make requests to STUN servers. STUN – or Session Traversal Utilities for NAT, servers – send a ping back that contains the IP address and port of the client–from the server’s perspective. The local and public IP addresses of the user can be gleaned from these requests via JavaScript.

So basically an advertiser, tracking service or intelligence agency can easily setup a STUN server and all requests to a page on that server—with special javascript code loading in a Chrome or Firefox browser—would reveal the IP address of the visitor and allow that page to set a tracking cookie.

Of course, you shouldn’t be doing anything online—even if using a VPN—that’s illegal like pirating movies or music, or buying stuff from a drug ecommerce site like Silk Road. But be especially careful if you are in a country, or situation, that means your life might be in danger if you are caught communicating using something like WebRTC.

How to Disable WebRTC

In Firefox:

  • To disable WebRTC, go to about:config and click-to-toggle media.peerconnection.enabled to false.
  • Or install this Firefox add-on

In Chrome:

  • Bad news? You CAN’T turn off WebRTC on desktop version of Google Chrome.
  • Good news? Install this Chrome Extension: WebRTC Leak Prevent
Posted in ,  

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Steve Borsch

Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. More here.

Facebook | Twitter | LinkedIn

Posts by Category

Archives (2004 – Present)

Connecting the Dots Podcast

Podcasting hit the mainstream in July of 2005 when Apple added podcast show support within iTunes. I'd seen this coming so started podcasting in May of 2005 and kept going until August of 2007. Unfortunately was never 'discovered' by national broadcasters, but made a delightfully large number of connections with people all over the world because of these shows. Click here to view the archive of my podcast posts.