Security Flaw in Windows versions of Firefox/Chrome exposes real IP Addresses

Thailand tightens cybersecurity laws and impinges on privacy
January 30, 2015
IPTorrents Server is Down
February 2, 2015
Show all

Security Flaw in Windows versions of Firefox/Chrome exposes real IP Addresses

The Vulnerability

The implementation of WebRTC has allowed websites to insert a few lines of code to reveal the true IP of the user even when a VPN is used. Browsers that use it such as Chrome and Firefox are affected by this vulnerability but only Windows users are affected. Mac and Linux aren’t affected. Also, Safari and Internet Explorer are not affected by this vulnerability as they do not implement WebRTC by default.

WebRTC was designed to allow browser to browser applications for voice-calling, video-chat, P2P and file sharing without the requirement for any external plugins.

webrtc

How to Fix it

The easiest way to fix this vulnerability is simply to use Safari or Internet Explorer instead but thankfully if you’re ok with installing additional plugins, there are ways to keep on using Chrome or Firefox while patching this vulnerability.

Chrome users can easily install the WebRTC block extension or ScriptSafe, which both block the vulnerability. We have tested it and confirm that this is working.

Firefox users can block the request with the NoScript addon as the vulnerability relies on Javascript and selectively enabling Javascript blocks this. Alternatively, you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

Another way around this vulnerability is to install the VPN directly onto your router if your firmware supports OpenVPN (DD-WRT, Tomato, Asus-WRT.

As clarification, this is not really a vulnerability on the VPN itself but more on how WebRTC API is implemented within the affected browsers. Only a handful of web applications use WebRTC (with the exception of Whatsapp Web), so disabling it is unlikely to affect your day to day experience.

To check if you have patched the problem go to this site to check if your real IP shows.

0 Comments

  1. jr says:

    does this issue also apply to Opera (variant of Chrome….so i’m told) ???

    if so, what is the solution…..same as Chrome??

    jr

    • Reuben says:

      Opera also uses WebRTC as well. I believe there’s a plugin called HTTP Switchboard or you can install the “Chrome extension” to allow it to use the WebRTC Block extension.

      Once installed,test if it works properly by going to

  2. FrankN.Stein says:

    That last line by Reuben “Once installed, test if it works properly by going to”. Going to where?
    I would like to test it as I’m using Pale Moon, a supposedly more secure version of FireFox, which has no “media.peerconnection.enabled”
    in “about.config”.
    Cheers.

  3. jr says:

    OK… once installed how do I test to check if it works? thx

  4. Wiilie D. says:

    Wow. Good to know I was still being exposed. Fixed vulnerability on both Google and Firefox. Thanks Boleh you are the best!

  5. Reuben says:

    Hey FrankN: Here’s the link. Got cut off.
    jR: see below

    https://diafygi.github.io/webrtc-ips/

  6. Reuben says:

    @FrankN.Stein:

    I believe Pale Moon doesn’t support WebRTC out of the box so you should be safe. No harm testing 😀

  7. M. S. Anderson says:

    I’m assuming that this WebRTC vulnerability does not affect Chrome running on iOS devices (iPad, et cetera). Is that right?

Leave a Reply

Your email address will not be published. Required fields are marked *