That didn’t take long. Just a few month’s back TorGuard became aware of a new security vulnerability that allowed websites to find a user’s real IP by making secret STUN requests via WebRTC. Now it appears we have our first case of this actually being used in the wild, ironically in the name of “user privacy”.
Let’s Break Some Stuff, eh?
Shortly after this issue began attracting increased attention, Dan Kaminsky, the Security researcher and co-founder of WhiteOps, offered up an explanation:
On github, Dan explained that the code was actually part of a project he was working on for ad networks that helped combat the usage of bots:
“This is part of an anti-bot technology I’ve been developing at White Ops (whiteops.com) for some time. There’s a flip side to privacy here; turns out something like 2/3rds of bot fraud comes from home users who get compromised so as to effect more ad fraud. We’re basically attacking the funding channel that gets people hacked. But it does require us to be able to detect the hacking, so we have these tests deployed.”
Only a few days after defending these actions, Dan disabled all STUN requests. Users have confirmed that the WebRTC code is no longer active on these websites and has been replaced with an alternative script.
Don’t Compromise on User Privacy
While the intentions may have been respectable, overreaching actions that negate user privacy almost always come with inherit risks. In this case we must ask ourselves, is it worth breaking internet privacy in the name of advertisement fraud? We think not.
With big data, comes big responsibility. Any ad network that routinely violates user privacy in the name of analytics will in time become a large target themselves for surveillance operations. If you cannot fully trust the person in charge of tracking all that data, good intentions can turn malicious very quickly.
Never entrust your personal privacy to some random website or ad network, who’s terms of service you probably don’t have access to. TorGuard anonymous VPN provides easy to use privacy solutions that blocks advertisers from knowing your personal IP address or true location. With simple VPN apps that feature WebRTC leak block and IPv6 leak prevention measures, you can be sure your personal IP address is no one’s business but your own.