The Vulnerability

The implementation of WebRTC has allowed websites to insert a few lines of code to reveal the true IP of the user even when a VPN is used. Browsers that use it such as Chrome and Firefox are affected by this vulnerability but only Windows users are affected. Mac and Linux aren’t affected. Also, Safari and Internet Explorer are not affected by this vulnerability as they do not implement WebRTC by default.

WebRTC was designed to allow browser to browser applications for voice-calling, video-chat, P2P and file sharing without the requirement for any external plugins.

How to Fix it

The easiest way to fix this vulnerability is simply to use Safari or Internet Explorer instead but thankfully if you’re ok with installing additional plugins, there are ways to keep on using Chrome or Firefox while patching this vulnerability.

Chrome users can easily install the WebRTC block extension or ScriptSafe, which both block the vulnerability. We have tested it and confirm that this is working.

Firefox users can block the request with the NoScript addon as the vulnerability relies on Javascript and selectively enabling Javascript blocks this. Alternatively, you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

Another way around this vulnerability is to install the VPN directly onto your router if your firmware supports OpenVPN (DD-WRT, Tomato, Asus-WRT.

As clarification, this is not really a vulnerability on the VPN itself but more on how WebRTC API is implemented within the affected browsers. Only a handful of web applications use WebRTC (with the exception of Whatsapp Web), so disabling it is unlikely to affect your day to day experience.

To check if you have patched the problem go to this site to check if your real IP shows.