Browser Security Hole May Allow Real IP Leak
According to research recently posted to reddit here, a new security vulnerability has been uncovered that is affecting both Windows firefox and chrome web browsers. This new IP check method allows websites to determine a web user’s actual ISP issued IP address, even when using a VPN. This is accomplished by running a WebRTC JavaScript code within the visitor’s web browser and can be executed behind the scenes without the user’s prior knowledge. Android, Linux and Max OSx versions of these web browsers do not appear affected at this time.
While developments like this can appear frightening, the good news is there is a simple fix. The real problem here however is not the fix, but rather the fact that many users will go about their day to day activities without knowledge of this flaw. It is important that you take a few minutes to make sure your system is patched.
More information on what this does is available from the researcher’s github page:
“Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”
How to fix the WebRTC Security Hole
In Chrome browser there is now a free extension available that will patch this problem directly. You can install this add-on from the Chrome Store here.
In Firefox, there are a few more steps to patch the problem. First, type “about:config” directly into the URL bar and hit enter. Then search for “media.peerconnection.enabled” and double click this option to set it to false.
Lockdown your Network with a VPN Router
Those who are accessing the VPN by means of a VPN router are not affected by this vulnerability, however we do suggest fixing your browsers as a precaution. A VPN router runs the private tunnel directly and broadcasts the VPN via wifi so devices can connect to the network like they normally would. This leaves zero chance that a rogue script will be able to bypass the software VPN and find your ISP issued IP address because the VPN is in fact running on your router. TorGuard’s VPN router store sells a variety of high speed VPN routers that are capable of securing any network without sacrificing privacy or performance.
Thanks for the warning about his. It's disturbing to know that I've been operating with a major security hole in my browsing for months.
"Android, Linux and Max OSx versions of these web browsers do not appear affected at this time." WRONG! I'm having exactly the same issues on my Macs in Chrome and Firefox. So clearly this is not an OS-related issue, nor is it limited to Windows users.
The suggested fixes for Chrome and Firefox do work on OSX, and without fixing it OSX users are every bit as vulnerable to having their home IP address discovered as are Windows users.
As such your article is misleading and is likely to result in OSX users being led to the false conclusion that they don't have anything to worry about. Please correct this ASAP.
I have no way of testing this on Android and Linux, but it's entirely possible you may be wrong about those too.
just confirming this DOES impact OS X versions of Firefox for sure. i was shocked to see both the VPN IP and my real IP...disturbing. I can NOT replicate this in Safari, so article seems correct about Firefox and Chrome. Safari just leaves the IP addresses blank on the page. With Firefox, the addresses were listed next to each one below, with Safari, they are blank....phew, i always use Safari on my Mac.
Demo for: https://github.com/diafygi/webrtc-ips
This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).
Your local IP addresses:
Your public IP addresses:
@admin
This doesn't seem to work on the latest Chrome for Linux, as I assume the browser isn't able to choose the interface to send traffic out of.
It does, however, reveal both my local IP (wlan and tun0) addresses. Which is a privacy/tracking issue nonetheless.
On Linux, you can use firewall rules to prevent any traffic from going to anything other than the TorGuard VPN server IPs, as follows: http://heapspray.net/post/allow-traffic-only-to-vpn-in-linux-with-iptables/
If anyone on Linux is affected, the above steps will prevent revealing your ISP issued IP to the STUN server, as long as your ISP issued IP isn't set as the address to one of your hardware interfaces. That's a good quick fix that catches a lot of other security issues.
Layered security is always a good idea.
the claimed wrtc block solution for chrome listed above does not appear to be working anymore. can anyone please confirm this?
The WebRTC block isn't working for chrome. If you use WebRTC site it shows blocked but every other ISP check site shows the WebRTC leak.
NoScript in Firefox won't help here? I know only that I know nothing-
It should do yes but our TG Lite client blocks this by default.
Regards
The WebRTC Chrome Extension does not work.
Is there another recommendation for this?
Our TG Lite client comes with a WebRTC block built in :)
Regards
Hello , well i have a solution ( not a fix ) , if it can help some people , change your vpn protocol for L2TP - IPSEC , PPTP or SSTP , ( maybe there are more protocol who can block this exploit but i only try those one , the exploit will not work on any browser who have WebRTC support , but that need to change your vpn protocol and then take the inconveniance of an other protocol :( but there are good protocol wich dont work with openvpn , i suggest for most of people L2TP - IPSEC protocol for your vpn . That's all .
Have a nice day :)
very informative post thanks for sharing.
http://www.delegaip.com/blog/2015/05/10/safe-proxy-hides-your-proxy-address-for-private-browsing-blocked-media/