A massive security flaw has been discovered that allows VPN users home IP-addresses to be see through a flaw involving WebRTC.
Currently the vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to be limited to Windows machines.
The mechanics of the vulnerability involves websites that make requests to STUN servers and log users’ VPN IP-address as well as the “hidden” home IP-address, in a local network addresses.
Daniel Roesler, a developer has published a demo on github that allows people to check if they are affected by the security flaw.
The demo claims that browser plugins can’t block the vulnerability, but this is not entirely true. As there are a few fixes available to patch the security hole.
For Chrome users, you should install the WebRTC block extension or ScriptSafe which should block the vulnerability.
For Firefox users, you should use the NoScript addon or Alternatively, you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.
Ben Van Der Pelt, TorGuard’s CEO, said that tunneling the VPN through a router is another fix and is quoted saying.
“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP, During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes.”
As is always the case, all VPN and proxy users should regularly check if their connection is secure. This also includes testing against DNS leaks and proxy vulnerabilities.