• VPN’s can be exploited to leak the real IP of users via WebRTC.
  • The technique involves sending a simple request to the STUN server – which is used by VPNs.
  • The only requirement for utilizing this de-anonymizing technique is for the user to surf the Internet on a browser that supports Javascript and WebRTC.

VPN, short for the virtual private network, creates a safe environment (private network) within a public network so that the user can browse the internet anonymously. This can help to enhance your security, privacy, and keep prying eyes away for your online matters. However, WebRTC technology can be used to obtain the real IP of website visitors, even if they are using a VPN.

WebRTC is a free and open project that provides browsers and mobile applications with APIs that give them Real-Time Communication (RTC) functionalities. The technology provides the fundamental components that help build a high-quality communication experience such as network, audio-video components used during video calls, and so on.

Now, when these components are implemented in a browser, it can be accessed by a JavaScript API. This allows any developer to implement their own RTC web app easily.

VPN leaks IP because of WebRTC
Image Courtesy of a1a

So how can this be used to make VPNs leak real IPs? As reported by Voidsec, this happens thanks to the underlying mechanism. First, you will need to understand the STUN and ICE mechanisms which are used by VPNs to establish a connection across various networks.

The STUN (Session Traversal Utilities for NAT ) server is used to ping back the IP address and port of a client. It is used by VPNs to translate a local home IP address to a new public IP address. While connected, the STUN servers keep a table of both of your VPN based public IPs along with the real local IP. This is somewhat similar to what routers do in your home.

Now, using WebRTC, a request can be made to the STUN servers which will return the “hidden” real IP along with the local network address. Since these requests are made outside the normal XML/HTTP request procedures, they will not show up in the developer console. Instead to access the information developers can use certain Javascript APIs.

The only requirement for this WebRTC based de-anonymizing technique to work is that the browser being used should support both Javascript and WebRTC. And its use cases go as far as tracing back to users who are hiding behind VPNs, SOCKS Proxies, and HTTP Proxies.

So to help you out, here is a list of the popular browsers which has Javascript and WebRTC enabled by default:

  • Opera
  • Internet (Samsung Browser)
  • Google Chrome on Android
  • Google Chrome
  • Mozilla Firefox
  • Epiphany (Gnome)
  • Edge (it does not leak at the moment since it doesn’t support ‘createDataChannel’)
  • Brave
  • Vivaldi

Now, VoidSec has done a test on over a hundred VPN and Proxy providers to see how many of them leak IPs via WebRTC. And the following are the providers which leaked IPs:

  • Windscribe Add-ons (Browser Extension/Plugin)
  • TOR as PROXY on browsers with WebRTC enabled
  • SumRando Web Proxy
  • SOCKS Proxy on browsers with WebRTC enabled
  • SmartHideProxy
  • psiphon3 (not leaking if using L2TP/IP)
  • PrivateTunnel
  • phx.piratebayproxy.co
  • PHP Proxy
  • IBVPN Browser Addon
  • HTTP PROXY in a browser that supports Web RTC
  • Hola!VPN Chrome Extension
  • Hola!VPN
  • HideMyAss
  • hide-me.org
  • Glype (Depends on the configuration)
  • CyrenVPN
  • ChillGlobal (Chrome and Firefox Plugin)
  • BlackVPN

Here is the link to the spreadsheet of all tested VPN providers.

With this new knowledge at hand, here are some tips which you should practice to keep yourself anonymous while surfing:

  • Disable WebRTC
  • Drop all outgoing connections except for VPN provider
  • Clear browser cache, history, and cookies
  • Always kill all your browsers instances before and after a VPN connection
  • Always set a DNS fallback for every connection/adapter
  • Disable Canvas Rendering (Web API)
  • Disable JavaScript (or at least some functions. Use NoScript)