Many VPN Providers Leak Customer's IP Address via WebRTC Bug

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.

How are VPN providers supposed to stop this?

[Anonymous Coward]

Disable WebRTC, you dumb shits.

Re:

[jellomizer]

Being that many didn't know about this vulnerability. beforehand it means Disabling WebRTC may effect features that their customers expect.

Re:

[jellomizer]

From Wikipedia [wikipedia.org]:

WebRTC (Web Real-Time Communication) is a free, open-source project that provides web browsers and mobile applications with real-time communication (RTC) via simple application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.[1] Supported by Google, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).[2]

It would seem just going and disabling the feature may cause some angry customers calling and complaining.

Re:

[sexconker]

Nobody fucking needs or wants WebRTC.

Re:

[jellomizer]

But Flash support is going out, and I don't even know if RealPlayer is still in existence.

Re:How are VPN providers supposed to stop this?

[barc0001]

Not everyone can be expected to be an expert in security. That's like saying if you get on a plane that hasn't had its maintenance done and it crashes, it was your fault for getting on the plane without knowing what its maintenance status was.

Re:

[Anonymous Coward]

Just like it's always the victim's fault for being in the wrong place at the wrong time when they're murdered. Their fault for not fully understanding everything and everyone they chose to be around, right? Or maybe you're dumb as all hell.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[barc0001]

> and then the passenger (user) brings a bomb (WebRTC) on the plane

Your analogy doesn't work because your passenger knows they're bringing a bomb onto the plane. I bet you $100 that 99 out of 100 VPN customers have never heard of WebRTC, let alone know what it does and certainly don't know it breaks the VPN's privacy.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ichimunki]

Oh come on! This is Internet101 stuff that anyone can do. I run a private VPN at home using a little Raspberry Pi server (used to be a Mac mini, but trying to go all open source) before my browser traffic even goes out the cable modem. That way even my ISP doesn't know where the traffic is coming from.

Re:

[barc0001]

> Oh come on! This is Internet101 stuff that anyone can do.

Does your mom or your brother or uncle or cousin run a VPN with an RPi? Did they set it up themselves? If not, why not?

Internet 101 is AOL level knowledge for most of the population, the people who post to /. have just a little more expertise than the average person...

Re: How are VPN providers supposed to stop this?

[Brockmire]

What? Your ISP will see the traffic come from your pi. Your connection to the pi is encrypted, your DNS lookups from pi to whatever DNS server is easily known by ISP. Did you poorly explain your setup?

Re:

[x_t0ken_407]

I was thinking the exact same thing! I was wondering if he knew that the VPN is still getting it's IP from the ISP and that traffic from it is not encrypted...

Re: How are VPN providers supposed to stop this?

[Brockmire]

Pilots: ignore this guy. You guys better not get on the plane without knowing the maintenance schedule.

Re:

[barc0001]

I'm sure the guy sitting in 24c is a pilot, as is the lady in 14b...

Re:

[jellomizer]

It is also the responsibility of everyone else that you use services of as well.
If I cross the street and fall down an open manhole cover.
I am responsible for keeping an eye on where I am looking.
The person who opened the manhole cover is responsible for blocking off the area for others to see that it is open.

Re:

[Anonymous Coward]

You can't disable WebRTC on Chrome, true story

Re:

[AHuxley]

Put the users computer behind a fast ethernet router with the VPN crypto.
A really great router with the chipset to keep up with the ISP and secure VPN crypto in real time.
That would ensure the browser, OS, add ons, plug ins, extensions, malware, ads can only see the internet as a VPN ip.
From the most normal ways around a VPN in the OS.

The security services just collect it all in real time without much effort globally.

Re:

[Dr_Harm]

It looks to me like the STUN server is the one doing the leaking. And that's a function of whatever WebRTC service you're using, not your VPN provider or your browser.

Re:

[torqer]

in my Experience with a webrtc phone... Chrome leaks it. Firefox doesn't.

The bug and the way around it

[Xenna]

I just discovered this bug today myself by chance, but AFAIK if you're using NAT (which most of us do) this will only reveal your 'local' IP addres, usually something like 192.168.0.x. Still nasty, but it won't immediately identify you.

Also, there's an ad blocker plugin for most popular browsers (uBlock Origin) that has an optional setting that blocks this.

Test for the vulnerability here:

https://www.whatismybrowser.co... [whatismybrowser.com]

The page will reveal your local IP if your browser is vulnerable (no VPN needed).

Re:The bug and the way around it

[Bruce Perens]

It did reveal my local-network IPV4 address behind NAT, which is of little use to anyone. But it also showed my public IPV6 address, which is no surprise because there's no NAT. That's the dangerous one. I am not using a VPN, but if it was using one to conceal my identity this would reveal a traceable IP address.

Re:

[Bruce Perens]

You discovered this just now? I made that conclusion years ago while surfing to a porn site.

I must confess to being that boring sort of individual who doesn't really have anything to hide. At least yet, the way things are going it could get to the point that every civil person will need to hide.

Thus, I haven't been using any sort of concealment technology and haven't concerned myself with the fact that my IP address can be identified.

At the moment it's still legal for you to look at that porn site. Althoug

Re:

[Lost Race]

Everyone has something to hide. Maybe you just don't know what yours is yet. By the time you find out it will be too late. Best to bide everything you possibly can.

Re:

[cerberusss]

I must confess to being that boring sort of individual who doesn't really have anything to hide

For now. However next year, your particular idiosyncrasies and/or opinions could easily become politically incorrect.

Re:

[Anonymous Coward]

Not possible to detect your local IP.

I disabled webrtc in firefox the instant i updated to the version which included it. I want a web browser not a god damn app platform. Every new 'feature' is just another attack surface.

FYI
about:config
media.peerconnection.enabled = false

Re:

[Xenna]

You're right of course. I remember playing with 'beef' sometime and that was pretty sobering.

https://www.hacking-tutorial.c... [hacking-tutorial.com] (you don't even need to use XSS if you own the site)

Re: When will a VPN provider get hacked?

[Brockmire]

If you buy VPS during promos, you can get one for $12/year. I have some for $6/year. I got a promo for 5 IPv4 with 2GB and 2 cores for $20/year. The cost difference is my time.

Private Internet Access

[Anonymous Coward]

The google doc suggests it's vulnerable but visiting https://ip.voidsec.com/ myself everything looked fine. The google doc references https://www.vpncompare.co.uk.

There's nothing about WebRTC in the review of PIA (https://www.vpncompare.co.uk/private-internet-access-review/)

This article about it going open source only mentions WebRTC in the context of a chrome extension blocking IP discovery (https://www.vpncompare.co.uk/private-internet-access-vpn-taking-to-the-open-source-road/)

I just tried https://ipx.a

VPN Overload

[ArhcAngel]

I started looking at VPN providers and stumbled across this guys site. [thatoneprivacysite.net] Talk about information overload! I don't know anything other than what he has posted but by the looks of it he has way more free time than I do. So if your VPN is "leaking" this might be a good source for deciding who your next VPN provider will be.

Re:

[pnutjam]

AirVPN and PIA are not on that list. PIA is US based, which some might like, but some might not. Air is based in France, still 5 eyes, but Euro privacy protection.

Re:

[jaa101]

Air is based in France, still 5 eyes

I thought the five were US, UK, Canada, Australia and New Zealand. What's your issue with France?

Re:

[pnutjam]

I thought Eurozone was part of the five eyes, consider me corrected.

Chrome and Firefox Only

[petermp]

Let's be a little bit more specific. The bug works with Chrome, Firefox and Opera. Both IE and Seamonkey are not affected. Not sure about Edge....

Re:

[E-Rock]

Edge and IE have webRTC disabled by default. So the MS browsers are safe. I know, I was shocked too. :)

Re:

[E-Rock]

It's probably your cookies that are revealing where you are.

The elephant in the room is the browser.

[Anonymous Coward]

As always (see the Facebook discussion), the browser mutated from a hypertext viewing application into a spyware executing monster, a thing picking up random executables off the 'net and colluding with everyone out there against the user.

The sad part is that even Mozillians have been carried away by "oh, shiny!" and "ours is the fastest javascript engine" instead of throwing some weight into keeping the javascript-free web viable.

Re:

[pnutjam]

I'm in the process of setting up a pi-hole that uses my VPN providers dns upstream.

Re:

[AHuxley]

1+ AC. make it external to the OS and the computer. The last step on the network out.

Sigh

[ledow]

Nothing to do with the VPN.

For a start, they shouldn't be opening packets and inspecting protocols, so they can't "fix" this for you in any way, shape or form, if they're doing their job.

This is the browser talking to an outside STUN server deliberately saying "My internal IP is X.X.X.X". The VPN shouldn't be interfering with that. No VPN (hardware or software) should be combatting that.

If you're worried about it, don't use browsers that do that.

VPNs are NOT there to provide protection from data-escape.

Won't happen on Pale Moon

[Rexdude]

Pale Moon intentionally does not support WebRTC [palemoon.org]:

WebRTC. Apart from opening up a whole can of worms security/privacy-wise, "Web Real Time Chat" (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in.