Security researcher warns VPN users for unintentionally leaking IP address through WebRTC

Posted 28 March 2018 17:07 CEST by Jan Willem Aldershoff

Users hoping to remain anonymous by using VPNs or proxies should disable several browser features, security researcher Paolo Stagno warns. Especially the WebRTC feature, used by browsers but also in mobile apps, can be used to obtain the user’s actual IP address.VPN Advertorial

WebRTC adds Real-Time Communication (RTC) functionality to browsers without requiring a plugin. Most major browsers, including Chrome, Firefox and Opera support WebRTC and have it enabled by default. Microsoft’s Edge and Internet Explorer also support WebRTC but have it disabled by default, just like Safari.

WebRTC makes it possible for developers to fairly easily add voice and video call functionality to websites without a plugin. All the developer needs to know is some Javascript.

To establish a call between two computers over WebRTC, the public IP address needs to be obtained. To retrieve the IP address, even when the computer is on a VPN, a technology called STUN exists. When sending a specific ping to a STUN server, the server replies with the public IP address of the user. The resulting reply can be accessed by Javascript and then further processed by the website.

This way VPN users sometimes unintentionally leak their actual IP address. Of the 70 analyzed VPN and proxy services, 23% leaked the IP address through WebRTC. From those services PureVPN and Hola are probably the best known names.

The security researcher who discovered the IP leakage has also created an online tool that allows users to check whether their browser leaks their real IP address.

Users who want to remain anonymous should disable WebRTC, Javascript (or use an extension like Noscript) and Canvas rendering. It’s further advisable to setup a DNS fallback for every connection, to kill all browser instances before and after you connect to a VPN, and to clear the browser cache, history and cookies.


Related content


Comment on this news item