Anonymous VPN & Proxy Blog

 The Latest TorGuard VPN News, How-To's, Security Updates and more.
29January

Browser Security Hole May Allow Real IP Leak

About the Author

Comments

    admin - February 2, 2015

    Thanks for the warning about his. It's disturbing to know that I've been operating with a major security hole in my browsing for months.

    "Android, Linux and Max OSx versions of these web browsers do not appear affected at this time." WRONG! I'm having exactly the same issues on my Macs in Chrome and Firefox. So clearly this is not an OS-related issue, nor is it limited to Windows users.

    The suggested fixes for Chrome and Firefox do work on OSX, and without fixing it OSX users are every bit as vulnerable to having their home IP address discovered as are Windows users.

    As such your article is misleading and is likely to result in OSX users being led to the false conclusion that they don't have anything to worry about. Please correct this ASAP.

    I have no way of testing this on Android and Linux, but it's entirely possible you may be wrong about those too.

    Reply
      admin - February 12, 2015

      just confirming this DOES impact OS X versions of Firefox for sure. i was shocked to see both the VPN IP and my real IP...disturbing. I can NOT replicate this in Safari, so article seems correct about Firefox and Chrome. Safari just leaves the IP addresses blank on the page. With Firefox, the addresses were listed next to each one below, with Safari, they are blank....phew, i always use Safari on my Mac.

      Demo for: https://github.com/diafygi/webrtc-ips
      This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).
      Your local IP addresses:
      Your public IP addresses:

      Reply
    admin - February 4, 2015

    @admin

    This doesn't seem to work on the latest Chrome for Linux, as I assume the browser isn't able to choose the interface to send traffic out of.

    It does, however, reveal both my local IP (wlan and tun0) addresses. Which is a privacy/tracking issue nonetheless.

    On Linux, you can use firewall rules to prevent any traffic from going to anything other than the TorGuard VPN server IPs, as follows: http://heapspray.net/post/allow-traffic-only-to-vpn-in-linux-with-iptables/

    If anyone on Linux is affected, the above steps will prevent revealing your ISP issued IP to the STUN server, as long as your ISP issued IP isn't set as the address to one of your hardware interfaces. That's a good quick fix that catches a lot of other security issues.

    Layered security is always a good idea.

    Reply
    admin - February 7, 2015

    the claimed wrtc block solution for chrome listed above does not appear to be working anymore. can anyone please confirm this?

    Reply
    admin - February 11, 2015

    The WebRTC block isn't working for chrome. If you use WebRTC site it shows blocked but every other ISP check site shows the WebRTC leak.

    Reply
    admin - March 8, 2015

    NoScript in Firefox won't help here? I know only that I know nothing-

    Reply
      admin - March 24, 2015

      It should do yes but our TG Lite client blocks this by default.

      Regards

      Reply
    admin - March 23, 2015

    The WebRTC Chrome Extension does not work.

    Is there another recommendation for this?

    Reply
      admin - March 24, 2015

      Our TG Lite client comes with a WebRTC block built in :)

      Regards

      Reply
    admin - April 21, 2015

    Hello , well i have a solution ( not a fix ) , if it can help some people , change your vpn protocol for L2TP - IPSEC , PPTP or SSTP , ( maybe there are more protocol who can block this exploit but i only try those one , the exploit will not work on any browser who have WebRTC support , but that need to change your vpn protocol and then take the inconveniance of an other protocol :( but there are good protocol wich dont work with openvpn , i suggest for most of people L2TP - IPSEC protocol for your vpn . That's all .

    Have a nice day :)

    Reply
    admin - May 10, 2015

    very informative post thanks for sharing.

    http://www.delegaip.com/blog/2015/05/10/safe-proxy-hides-your-proxy-address-for-private-browsing-blocked-media/

    Reply

Leave a Comment

Notify me of followup comments via e-mail

Time limit is exhausted. Please reload CAPTCHA.

Don't Risk Your Online Privacy. Go Stealth with TorGuard.