According to security researcher Paolo Stagno, who goes by the pseudonym VoidSec, some VPN solutions (that you may employ to access blocked websites or hide your real IP) are leaking your real IP address via a WebRTC bug. He recently audited more than 80 VPN service providers and found that close to 20 percent of them haven’t fixed the WebRTC leak.
The WebRTC leak, which is considered to one of the most critical flaws, was first discovered back in 2015 and has been ignored by browser makers for the past couple years. The same has, however, garnered limelight as the real IP address of the users can now be used to abuse their privacy.
For those unfamiliar with WebRTC, it is a free and open-source web standard for that allows a number of communication applications such as voice or video calling through browsers, eliminating the need for plugins or extensions, primarily Flash. WebRTC is supported by most major browsers and it doesn’t display any sort of pop-up or prompt to make you aware that it’s currently being used. So, it is possible for this technology to leak your real IP address without your consent.
According to VoidSec’s latest report, the VPN service providers are still not taking required measures to patch the vulnerability. It is, however, necessary to point out that most of the tested VPNs are free and only a couple of are actually popular. The VPN providers that have been found to be leaking the IP address of its users are:
- ChillGlobal (Chrome and Firefox Plugin)
- Glype (Depends on the configuration)
- Hola!VPN Chrome Extension
- HTTP PROXY (in a browser that supports WebRTC)
- IBVPN Browser Addon
- PHP Proxy
- psiphon3 (not leaking if using L2TP/IP)
- SOCKS Proxy on browsers with Web RTC enabled
- SumRando Web Proxy
- TOR as PROXY on browsers with Web RTC enabled
- Windscribe Add-ons (Browser Extension/Plugin)
You can check out if your VPN is leaking your real IP address right here. Now, if you want to prevent your IP address from leaking, the only option is to disable WebRTC in any and all of your browsers.
You can check active WebRTC connections by navigating to “chrome://webrtc-internals/” on Chromium-based browsers and “about:webrtc” on Firefox. It’s only Vivaldi that allows the users to disable the WebRTC broadcast under the privacy settings. Firefox users can also tinker around to cut access to their real IP address to websites until this vulnerability is fixed.
So, it is high time the browser makers, as well as VPN service providers, plug the vulnerabilities, and understand the implications of this leak especially for those internet users who are using them to protect lives in conflict nations.