A huge security flaw has been discovered that allows your local IP or home IP to be disclosed even when connected to a VPN service. VPN providers such as LiquidVPN have been making users aware of the vulnerability. LiquidVPN users can download one of two WebRTC fixes for Windows from our downloads section. These do require Windows Advanced Firewall to be running. Comodo users can open a ticket and we will provide the latest rules to enter into your firewall.
Privacy leak a risk
In recent years online privacy has become a huge issue, many everyday users are now concerned with their online privacy which has been greatly heightened due to the Edward Snowden revelations of 2013.
So with this knowledge fresh in the minds of users, many have turned to a Virtual Private Network (VPN) to ensure their connections are encrypted both at home and more importantly when using public wi-fi systems. While no solution is ever 100% secure, users rely on VPN connections to encrypt their connection data and equally as importantly, to enable anonymity.
Anonymity is provided by way of obscuring your local IP, this removes the ability for anyone to pinpoint you to a location. By obscuring your local IP many users receive an added layer of security, a good example of this are gamers who use services like video streaming site Twitch, by having their local IP disclosed by services such as Skype, they run the risk of being DDOSed mid-broadcasting session. Something gaming streamers with large followers are all too familiar with.
What is the WebRTC exploit
A feature of modern browsers such as Chrome and Firefox known as WebRTC is being blamed for the responsibility of allowing your local IP to be disclosed, even when connected to a VPN server. The exploit is rather basic and simply requires the website you’re visiting to make requests to STUN servers which in turn allows your local and network IPs to be revealed.
Users using both the Chrome and Firefox browsers are mainly effected on Windows systems with FreeBSD also reportedly susceptible to the same issue. Using a VPN router appears to remove the risk of IP discovery, so those who connect directly through a hardware device are safe from the WebRTC issue affecting desktop users.
Developer Daniel Roesler published a demo on GitHub showing the exploit in action. Users can see if they are affected by the issue by visiting the GitHub demo page. If your public IP address is displayed in the lower half when connected to a VPN then it is possible that other websites could use the same method to discover your real IP address.
How to protect yourself against WebRTC vulnerability
Luckily there are a few fixes available. Firstly, those who use Internet Explorer are unaffected, while not technically the best browser, those worried about accessing sites that could possibly exploit this flaw would be safeguarded by using the Microsoft browser.
A few other fixes are available or have been made available in the past. A WebRTC Block for the Chrome browser was said to fix the issue, although currently it is still exploitable even with this extension installed, however installing may be better than not installing. Fixes available are as follows :-
Download and installed the WebRTC Block. *Currently does not fully block the issue.
Open the URL chrome://flags/#disable-webrtc and enable the option. Relaunch the browser.
Firefox Desktop & Mobile
Open the URL about:config and find media.peerconnection.enabled. Set it to False by double clicking it.