Monday, February 2, 2015
A flaw in WebRTC's STUN protocol is affecting VPN users regardless of VPN protocol, and can be used by 3rd parties (eg., websites) to gather sensitive network information about the user connected to a VPN, such as the real IP addresses of all network interfaces. This is a major privacy risk as it would reveal the real IP addresses of affected users connected to VPNs. We covered this issue a few months ago in this tutorial, but we have reasons to believe that many have missed it and we want to raise the awareness by posting this announcement. Note that this flaw can't be fixed on the server-side, therefore it is out of our control and fixing on the local computer/device is the only way.
Check if it affects you: Demo
If the page above displays your internal IPs, you are affected. Test again after applying the fixes below.
Browsers Affected
Google Chrome, Firefox, Opera and other Chromium-based browsers.
How to fix it
Update (Jul. 12): WebRTC still can't be disabled in Chrome, however starting with a recent Chrome release it is possible to disable support for multiple routes, forcing the browser to use the VPN gateway while connected, apparently not disclosing the real IP address of users. Here is a simple 3rd party Chrome extension that seems to do the trick. We have also enforced the same setting in our SecureProxy extension in order to protect the user from disclosing the real IP while connected to the VPN. SecureProxy protects the user from exposing the real IP when connected to the VPN, without the need to connect through the extension. This only works for "classic" VPN connection types such as OpenVPN and it DOES NOT protect the user from exposing the real IP through WebRTC if only the SecureProxy extension is used. Also please be aware that disabling multiple WebRTC gateways is not a totally safe solution.
UPDATE (Feb. 26): with the most recent exploit code, WebRTC extension-based protection in Chrome is no longer possible. We'll investigate if there's anything to do about it.
UPDATE (Feb. 24): we created a simple, stand-alone extension for Google Chrome for those who don't have or don't plan to use our SecureProxy extension. If you are already using SecureProxy for Chrome, you don't need to install this extension. It can be installed from Webstore: WebRTC Stopper
UPDATE (Feb. 6): The WebRTC Block extension doesn't protect fully against the flaw! We recommend to use Firefox and disable WebRTC.
Chrome Desktop: there is no way currently to provide good protection as WebRTC can't be disabled and extensions only provide partial/temporary protection. ScriptSafe works but it also blocks most of the legit web content by default, requiring constant whitelisting of websites you visit.
Chrome Mobile: open the URL chrome://flags/#disable-webrtc in Chrome. After enabling the option, a warning will be displayed in the lower area of the screen asking to relaunch the browser for the settings to take effect.
Firefox Desktop: open the URL about:config and search for media.peerconnection.enabled. Double click on it to set it to False. A browser restart is not required. NoScript also protects against this weakness if used correctly.
Firefox Mobile: same as above
More on the WebRTC privacy issue:
STUN IP Address requests for WebRTC (GitHub)
Huge Security Flaw Leaks VPN Users' Real IP-Addresses (TorrentFreak)
Sites may detect the local IP address in browsers supporting WebRTC (gHacks)
Contact us if you face any problems fixing this flaw.