Browser Security Hole May Allow Real IP Leak
According to research recently posted to reddit here, a new security vulnerability has been uncovered that is affecting both Windows firefox and chrome web browsers. This new IP check method allows websites to determine a web user’s actual ISP issued IP address, even when using a VPN. This is accomplished by running a WebRTC JavaScript code within the visitor’s web browser and can be executed behind the scenes without the user’s prior knowledge. Android, Linux and Max OSx versions of these web browsers do not appear affected at this time.
While developments like this can appear frightening, the good news is there is a simple fix. The real problem here however is not the fix, but rather the fact that many users will go about their day to day activities without knowledge of this flaw. It is important that you take a few minutes to make sure your system is patched.
More information on what this does is available from the researcher’s github page:
“Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”
How to fix the WebRTC Security Hole
In Chrome browser there is now a free extension available that will patch this problem directly. You can install this add-on from the Chrome Store here.
In Firefox, there are a few more steps to patch the problem. First, type “about:config” directly into the URL bar and hit enter. Then search for “media.peerconnection.enabled” and double click this option to set it to false.
Lockdown your Network with a VPN Router
Those who are accessing the VPN by means of a VPN router are not affected by this vulnerability, however we do suggest fixing your browsers as a precaution. A VPN router runs the private tunnel directly and broadcasts the VPN via wifi so devices can connect to the network like they normally would. This leaves zero chance that a rogue script will be able to bypass the software VPN and find your ISP issued IP address because the VPN is in fact running on your router. TorGuard’s VPN router store sells a variety of high speed VPN routers that are capable of securing any network without sacrificing privacy or performance.