Explaining the WebRTC IP Leak Vulnerability Affecting Some Web Browsers

1

UPDATE: July 30th, 2015

For Chrome users: Good news! webrtc.org has just released its official fix for preventing leaks on Google Chrome. You can get it from the chrome web store here and double check that it’s working as expected at ipleak.net.

Firefox users: If you’re in Firefox, you can use this fix:

  1. Type about:config in the address bar of Firefox.
  2. Click on “I’ll be careful, I promise!” (or some security message similar to that) [the message depends on the version of Firefox you have]
  3. A list will open with a search bar above. In that search bar, please type: media.peerconnection.enabled and hit enter.
  4. When the result comes up, double-click on it to turn its value to false.
  5. Close the tab to finish the procedure.

 


 

There’s a security issue reported last week affecting some web browsers, mostly Chrome and Firefox on Windows, although OSX users are affected too. The risk is that a malicious website might obtain a visitor’s true IP address even if the user is connected to a VPN. For example:

  1. A user visits the malicious website, which triggers the browser to run some Javascript.
  2. The Javascript uses a vulnerable feature in the browser called WebRTC to find out the computer’s true IP address, then reveals it to the operator of the malicious site.

Use the following steps to check if you’re affected and mitigate the issue if necessary:

  1. Connect to a VPN.
  2. Open our WebRTC Test. <– this test is only relevant if you use it while connected to a VPN. 
  3. If your browser is secure, you should see something like this:WebRTC Test - Safe
  4. If your browser is affected by this issue, you’ll see this message:
    Web RTC Test - Vulnerable
    To fix, try the following steps:

    1. Chrome: Install the WebRTC Block extension.
    2. Firefox: Type about:config into the address bar, search for media.peerconnection.enabled, and toggle its setting to false.
  5. Close your browser and open our WebRTC Test again to confirm that the site can no longer determine your true IP address.

 

We’re waiting to see what the teams at Chrome and Firefox will do about this. Hopefully, they’ll disable the WebRTC feature by default and allow users to choose whether they want to enable it.

1 COMMENT

LEAVE A REPLY