Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy IT Technology

Many VPN Providers Leak Customer's IP Address via WebRTC Bug (bleepingcomputer.com) 83

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.
This discussion has been archived. No new comments can be posted.

Many VPN Providers Leak Customer's IP Address via WebRTC Bug

Comments Filter:
  • Disable WebRTC, you dumb shits.

    • Being that many didn't know about this vulnerability. beforehand it means Disabling WebRTC may effect features that their customers expect.

      • by Anonymous Coward

        You can't disable WebRTC on Chrome, true story

    • by AHuxley ( 892839 )
      Put the users computer behind a fast ethernet router with the VPN crypto.
      A really great router with the chipset to keep up with the ISP and secure VPN crypto in real time.
      That would ensure the browser, OS, add ons, plug ins, extensions, malware, ads can only see the internet as a VPN ip.
      From the most normal ways around a VPN in the OS.

      The security services just collect it all in real time without much effort globally.
  • by Xenna ( 37238 ) on Wednesday March 28, 2018 @01:46PM (#56342649)

    I just discovered this bug today myself by chance, but AFAIK if you're using NAT (which most of us do) this will only reveal your 'local' IP addres, usually something like 192.168.0.x. Still nasty, but it won't immediately identify you.

    Also, there's an ad blocker plugin for most popular browsers (uBlock Origin) that has an optional setting that blocks this.

    Test for the vulnerability here:

    https://www.whatismybrowser.co... [whatismybrowser.com]

    The page will reveal your local IP if your browser is vulnerable (no VPN needed).

    • by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday March 28, 2018 @02:47PM (#56343005) Homepage Journal

      It did reveal my local-network IPV4 address behind NAT, which is of little use to anyone. But it also showed my public IPV6 address, which is no surprise because there's no NAT. That's the dangerous one. I am not using a VPN, but if it was using one to conceal my identity this would reveal a traceable IP address.

    • by Anonymous Coward

      Not possible to detect your local IP.

      I disabled webrtc in firefox the instant i updated to the version which included it. I want a web browser not a god damn app platform. Every new 'feature' is just another attack surface.

      FYI
      about:config
      media.peerconnection.enabled = false

  • by Anonymous Coward

    The google doc suggests it's vulnerable but visiting https://ip.voidsec.com/ myself everything looked fine. The google doc references https://www.vpncompare.co.uk.

    There's nothing about WebRTC in the review of PIA (https://www.vpncompare.co.uk/private-internet-access-review/)

    This article about it going open source only mentions WebRTC in the context of a chrome extension blocking IP discovery (https://www.vpncompare.co.uk/private-internet-access-vpn-taking-to-the-open-source-road/)

    I just tried https://ipx.a

  • I started looking at VPN providers and stumbled across this guys site. [thatoneprivacysite.net] Talk about information overload! I don't know anything other than what he has posted but by the looks of it he has way more free time than I do. So if your VPN is "leaking" this might be a good source for deciding who your next VPN provider will be.
    • by pnutjam ( 523990 )
      AirVPN and PIA are not on that list. PIA is US based, which some might like, but some might not. Air is based in France, still 5 eyes, but Euro privacy protection.
      • by jaa101 ( 627731 )

        Air is based in France, still 5 eyes

        I thought the five were US, UK, Canada, Australia and New Zealand. What's your issue with France?

  • Let's be a little bit more specific. The bug works with Chrome, Firefox and Opera. Both IE and Seamonkey are not affected. Not sure about Edge....
    • by E-Rock ( 84950 )

      Edge and IE have webRTC disabled by default. So the MS browsers are safe. I know, I was shocked too. :)

  • by Anonymous Coward

    As always (see the Facebook discussion), the browser mutated from a hypertext viewing application into a spyware executing monster, a thing picking up random executables off the 'net and colluding with everyone out there against the user.

    The sad part is that even Mozillians have been carried away by "oh, shiny!" and "ours is the fastest javascript engine" instead of throwing some weight into keeping the javascript-free web viable.

  • by ledow ( 319597 )

    Nothing to do with the VPN.

    For a start, they shouldn't be opening packets and inspecting protocols, so they can't "fix" this for you in any way, shape or form, if they're doing their job.

    This is the browser talking to an outside STUN server deliberately saying "My internal IP is X.X.X.X". The VPN shouldn't be interfering with that. No VPN (hardware or software) should be combatting that.

    If you're worried about it, don't use browsers that do that.

    VPNs are NOT there to provide protection from data-escape.

  • Pale Moon intentionally does not support WebRTC [palemoon.org]:

    WebRTC. Apart from opening up a whole can of worms security/privacy-wise, "Web Real Time Chat" (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in.

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...