Users hoping to remain anonymous by using VPNs or proxies should disable several browser features, security researcher Paolo Stagno warns. Especially the WebRTC feature, used by browsers but also in mobile apps, can be used to obtain the user’s actual IP address.
WebRTC adds Real-Time Communication (RTC) functionality to browsers without requiring a plugin. Most major browsers, including Chrome, Firefox and Opera support WebRTC and have it enabled by default. Microsoft’s Edge and Internet Explorer also support WebRTC but have it disabled by default, just like Safari.
This way VPN users sometimes unintentionally leak their actual IP address. Of the 70 analyzed VPN and proxy services, 23% leaked the IP address through WebRTC. From those services PureVPN and Hola are probably the best known names.
The security researcher who discovered the IP leakage has also created an online tool that allows users to check whether their browser leaks their real IP address.