How to Stop WebRTC Local IP Address Leaks on Google Chrome and Mozilla Firefox While Using Private I

edited March 2015 in General VPN Support Posts: 8
Recent reports from our users have brought to light a security hole that can reveal your IP address to websites through WebRTC. WebRTC was originally developed to aid certain types of connections between browsers without the need for an additional plugin. The ‘RTC’ in WebRTC stands for Real-Time-Communication, and the API directory is used for voice calls, video chats, and p2p file sharing. Suspicions that WebRTC could be used to discover a user’s local IP, even under the presence of a VPN, have been around since 2013. Since WebRTC uses javascript requests to get your IP address, users of NoScript or similar services will not leak their IP addresses.

If you are using a VPN or a Proxy and you would like to test this WebRTC Local IP leak, click here.


Note: This doesn't affect OSX or Android users, seemingly just Windows users.

Google Chrome users should download this add-on that will block WebRTC. Opera users can download this plugin that will allow them to download and use Google Chrome add-ons. Mozilla Firefox users can actually turn off the default WebRTC functionality directly in Firefox settings by typing ‘about:config’ into the search bar and browsing to the ‘media.peerconnection.enabled’ option and setting it to FALSE. Users of Canary, Nightly, and Bowser are also vulnerable to this IP leak. However, the local IP address leak should not affect Internet Explorer or Safari users unless they have manually added WebRTC themselves.

Private Internet Access already comes with many advanced features for the most privacy-centric users. PIA even suggests that you test for DNS, email, and IPv6 IP address leaks when setting up their service.


Update:

Hello all, just got word that the WebRTC Block plugin for Google Chrome doesn't cut it at the moment. Another user, uSuper, has updated the original github tool developed by Daniel Roesler to defeat what uSuper calls "naive WebRTC blocking." uSuper first reported that the use of an iframe defeated WebRTC Block in his review of WebRTC Block in the Google Chrome plugin store three days ago.

Again, this issue seems to only affect Google Chrome users on Windows. Unfortunately, the desktop version of Google Chrome does not allow the disabling of WebRTC, but the Android Google Chrome app does. Reportedly, Google hasn't made any comment on whether this feature will ever be fixed from their end.

Currently, the only way to defeat this WebRTC IP leak in Google Chrome on Windows is to use Script Safe.

Stay safe! Or as PIA says it: "Always use protection!"

Post edited by cchen on
«134567

Comments

  • Posts: 380
    @cchen Can you make this an Announcement, so that it will stay (somewhat) at the top of the Forum?
  • Is there any sort of monitoring app or anything else I can use on Windows 8.1 and/or anything on Android to monitor for this vulnerability and WARN us when it notices it pop up somewhere?

    This goes for any and all such privacy leaks and vulnerabilities.

    I already did what is necessary to 'fix' this particular problem from the instructions in the other, original thread about this that was started by a PIA user the other day.

    It would seem appropriate that there would be something that could constantly monitor for privacy leaks and stuff like this for us so that we don't have to constantly be looking out for it on our own.

    I know it's our own responsibility and all that, but we have so many other automated things now days....seems like there should be something like that for this kind of stuff.

    e.g. Why doesn't PIA automatically check for something like this, and either fix it automatically for us, or at least warn us about it?
  • Posts: 19
    There was some bickering in the other thread about whether killswitch would have an effect on this. one user said with killswitch enabled his real ip address was not leaked.

    i have done the same and verified that with killswitch enabled my isp ip does not leak. I would appreciate if more people could do the same. re-enable webrtc, enable killswitch and check the page that tells you the ips. then disable killswitch and do the same. if it turns out to be true that killswitch indeed stops the leaks, then for those of you who are like me who have always had it enabled don't have to worry about much.
  • Posts: 8
    Thanks, dude! What OS are you using?
  • Posts: 19
    windows 7 64bit
  • Posts: 37
    one user said with killswitch enabled his real ip address was not leaked.
    I think you are referring to my post BUT I did not say having Killswitch enabled is the reason my real IP were hidden, I was merely reporting on conditions of my setup with NO "cause and effect" implications.

    In the end, I was satisfied with @Iryie explanation and installed counter-measures for FireFox and Chrome 
  • Posts: 19
    you made a post with your configuration, and someone else suggested it was killswitch that was preventing the leak. for me, with killswitch on, no leak. with kill switch off, leak.

    please, can we get some more people to test this?
  • Posts: 19
    I am not proposing it as a fix. I do not pretend to know enough about networking to make such a claim. It might put some minds at ease, however.
  • I did not realise some users were having their ISP IP leak as well (!!!):

    image

    For me on OSX Lion it makes no difference whether PIA kill switch is enabled, only VPN adapter IP, local IP and VPN IP are shown.

    According to Torguard blog "Android, Linux and Max OSx versions of these web browsers do not appear affected at this time."
  • edited January 2015 Posts: 37
    Just tested this on the Dolphin browser under Android and it is not showing any IP so Dolphin on Android are safe

    Chrome on Android is still showing PIA IP.  Hum......I can't figure out how to install WebRTC block extension on Chrome for Android, anyone ?
    Post edited by lowbee on
  • i was just gonna post the article guess you beat me to it.
  • Just tested this on the Dolphin browser under Android and it is not showing any IP so Dolphin on Android are safe

    Chrome on Android is still showing PIA IP.  Hum......I can't figure out how to install WebRTC block extension on Chrome for Android, anyone ?
    Hello,

    Open Android chrome browser and type chrome://flags/ after it you will see Disable WebRTC turn it ON and restart the browser. Now go to http://ipleak.net/ and test your android chrome browser again.

    Hope this will help you.
  • Posts: 380
    @alex1911 beat me to the punch. I was going to post that Air has now added WebRTC detection to http://ipleak.net. Nice.
  • Posts: 37
    Thanks @alex1911 this works
  • just want to say how this forum looks out for each other when ever there is some important information to share concerning privacy issues.
  • Just tested this on the Dolphin browser under Android and it is not showing any IP so Dolphin on Android are safe

    Chrome on Android is still showing PIA IP.  Hum......I can't figure out how to install WebRTC block extension on Chrome for Android, anyone ?
    Hello,

    Open Android chrome browser and type chrome://flags/ after it you will see Disable WebRTC turn it ON and restart the browser. Now go to http://ipleak.net/ and test your android chrome browser again.

    Hope this will help you.
    thanks for the info did what you explained above it works
  • So can someone tell me if I got this right?

    1.) I use Chrome
    2.) Download/Install WebRTC Block extension
    3.) Someone told me select "Allow in incognito" for WebRTC Block
    4.) Why run the extension in incognito?

    Is there a way for me to verify whether this is working for me? Thanks.
  • Posts: 4,013
    So can someone tell me if I got this right?

    1.) I use Chrome
    2.) Download/Install WebRTC Block extension
    3.) Someone told me select "Allow in incognito" for WebRTC Block
    4.) Why run the extension in incognito?

    Is there a way for me to verify whether this is working for me? Thanks.
    Try here.
    https://diafygi.github.io/webrtc-ips/
  • So can someone tell me if I got this right?

    1.) I use Chrome
    2.) Download/Install WebRTC Block extension
    3.) Someone told me select "Allow in incognito" for WebRTC Block
    4.) Why run the extension in incognito?

    Is there a way for me to verify whether this is working for me? Thanks.
    Try here.
    https://diafygi.github.io/webrtc-ips/
    What was that supposed to do? I loaded the webpage and it doesn't show a local or public IP address. Granted I'm not on a VPN right now. Wouldn't it at least show a local?
  • @lrryie, can you say whether this affects Iron users as well?
  • Posts: 380
    I can't say exactly due to an NDA still in force from my days of working for Google so i'll just say that WebRTC is not the only way for your real IP address to be discovered while on VPN and the safe bet is to remove the Chrome browser from the system/device. One day people will wake up and realize one of the greatest threats to their privacy and security on line, their personal information and on line activity, is, and has been for a while now, Google (and other companies as well).
    This anticipates the question that I've been wanting to ask... Are there any other vulnerabilities (along this same line) - that you know of - that we Firefox users should be concerned with?

    If you can't spell it out specifically, can you give us some clues that might point us in the right direction?
  • Posts: 37
    WebRTC is not the only way for your real IP address to be discovered while on VPN and the safe bet is to remove the Chrome browser from the system/device.
    So not even stop using Chrome browser is enough but we have to remove it entirely from our system/device.  Did you mean the Chrome browser has a potential of doing something even if it is not running ?
  • Perhaps it is related Google Update/Google Software Update (annoying background updater service).
  • Posts: 8
    Hello all, just got word that the WebRTC Block plugin for Google Chrome doesn't cut it at the moment. Another user, uSuper, has updated the original github tool developed by Daniel Roesler to defeat what uSuper calls "naive WebRTC blocking." uSuper first reported that the use of an iframe defeated WebRTC Block in his review of WebRTC Block in the Google Chrome plugin store three days ago.

    Again, this issue seems to only affect Google Chrome users on Windows. Unfortunately, the desktop version of Google Chrome does not allow the disabling of WebRTC, but the Android Google Chrome app does. Reportedly, Google hasn't made any comment on whether this feature will ever be fixed from their end.

    Currently, the only way to defeat this WebRTC IP leak in Google Chrome on Windows is to use Script Safe.

    Stay safe! Or as PIA says it: "Always use protection!"


  • I'm going to make a couple of assumptions: 

    1) Google put WebRTC in for a very specific set of tracking reasons (I don't know if this was originally planned as something that would maliciously violate peoples privacy, or just allow Google to always keep their fingers active in their data mining endeavors)
    2) Google knows that this plugin exists, and is doing nothing about it for a very specific reason. 
    3) If Google felt that this plugin was in any way a threat to assumption 1, they would remove it from the plugin shop, (Much like they made the YouTube Downloading plugins disappear when they acquired YouTube)

    Just my thoughts on this whole thing. 
  • Posts: 4,013
    I'm going to make a couple of assumptions: 

    1) Google put WebRTC in for a very specific set of tracking reasons (I don't know if this was originally planned as something that would maliciously violate peoples privacy, or just allow Google to always keep their fingers active in their data mining endeavors)
    2) Google knows that this plugin exists, and is doing nothing about it for a very specific reason. 
    3) If Google felt that this plugin was in any way a threat to assumption 1, they would remove it from the plugin shop, (Much like they made the YouTube Downloading plugins disappear when they acquired YouTube)

    Just my thoughts on this whole thing. 
    I cannot argue with any of this but the very last thing. Even today there are plenty of Youtube Download plugins. If you meant for Chrome, then that is why I do not get it. I only use Firefox.

    Google violates my very frame of mind with regards to my opinions on privacy. I would not use Chrome if my life depended upon it.
  • Just for the record, this vulnerability may exist in Linux distributions as well. It certainly does in openSUSE 13.2 running OpenVPN. Both Firefox and Chromium/Chrome have the problem. And no, WebRTC Block extension does not fix this in Chromium, but ScriptSafe does.
  • Posts: 8
    Thanks, whatever :).
  • edited February 2015 Posts: 30
    Post edited by sounder on
  • Today I tried going to the WebRTC leak test website and it still found my real IP. (Website can be found here: https://diafygi.github.io/webrtc-ips/). Do you guys know of any working chrome extensions?
Sign In or Register to comment.