WebRTC Leak

This post briefly explains what WebRTC is and why you should be aware of the WebRTC leak. Also, it presents how to fix the problem.

What is WebRTC?

WebRTC (Web Real-Time Communication) provides RTC (Real-Time Communications) capabilities to browsers and mobile applications. WebRTC APIs use Javascript to enable peer-to-peer audio, video, and data sharing web applications, running in browsers without any external plugins.

At this time, WebRTC is supported by the following browsers, and it is enabled by default:

  • Desktop PC – Google Chrome 23+, Mozilla Firefox 22+. Opera 18+, Microsoft Edge 12+.
  • Android – Google Chrome 28+, Mozilla Firefox 24+. Opera Mobile 12+.
  • Chrome OS.
  • Firefox OS.

What is WebRTC leak?

In January 2015, TorrentFreak reported that users were facing a massive security flaw as websites can easily see their real and local IP-addresses through WebRTC.

More than that WebRTC can be tricked into revealing your real IP address, even if you are connected to VPN! It is called WebRTC leak (a.k.a. WebRTC IP leak, WebRTC flaw, or WebRTC vulnerability), and it is seen as a critical security hole.

If you are interested in more technical details, here is how WebRTC may reveal your IP address. WebRTC relies on Javascript, and a website can insert some Javascript code to send a UDP packet to a STUN Server (Session Traversal Utilities for NAT). That server sends merely back a package containing the IP address from which the request originated. It is simple to implement as Firefox provides a default STUN server that can also be used with Google Chrome.

How to check if you are exposed: WebRTC leak test

Don’t panic! It is simple to detect if your browser may leak your IP address through WebRTC and it is also simple to fix the problem.

Go to a leak checker or IP checker site that performs a WebRTC leak test, like IPLeak.net (it also performs a DNS leak test) or XMyIP WebRTC test.

  • If you are not connected to VPN, and you see your local IP and the visible IP then the WebRTC is enabled and you may be exposed to the WebRTC leak.
  • Are you connected to a VPN? If you see your public IP address (provided by the ISP), it means that your VPN does not correctly handle the leak. If you see the IP of the VPN server, then you are safe.
WebRTC Leak Test - IPLeak.net

How to block WebRTC leaks

The simplest way to fix the WebRTC leak is by disabling WebRTC from Firefox and Chrome and prevent IP from being seen. Thus, you will not rely on your VPN to handle the WebRTC leak.

Disable WebRTC in Mozilla Firefox:

In Firefox you may stop WebRTC by changing the browser settings. In the address bar enter about:config. Next, find media.peerconnection.enabled. Set the value to false and check again!

Further, according to this Reddit thread, there are additional settings you may set:

  • media.peerconnection.enabled;false // VPN cannot bypassed anymore
  • media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled
  • media.peerconnection.use_document_iceservers;false // makes sure WebRTC is disabled
  • media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled
  • media.peerconnection.identity.timeout;1 // makes sure WebRTC is disabled

Disable WebRTC in Google Chrome:

In Google Chrome, for blocking WebRTC you need to install the WebRTC Network Limiter Chrome extension and select the Disable non-proxied UDP (force proxy) option.

Disable WebRTC in Opera:

In Opera, to implement the WebRTC block you need to install the WebRTC Network Limiter Opera extension and select the Disable non-proxied UDP (force proxy) option. It will prevent the WebRTC IP leaking problem.

Disable WebRTC on Android for Chrome users:

In the address bar, enter the Chrome browser: chrome://flags/#disable-webrtc. It sets the value of enable.

After you disable the WebRTC and reload IPLeak.net you should see the “No leak” message:

WebRTC Leak Test Passed

Are there VPN services that offer protection against WebRTC leaks?

Yes, there are. Such VPN providers route the WebRTC STUN requests through their servers. Thus, even though the WebRTC is enabled in the browsers, the security flaw is handled by the VPN server.

Here are several VPN services that I have tested and seemed to handle the leak properly (including other possible leaks like DNS leak or IPv6 leak):

Conclusion

To sum up, WebRTC is a great tool that enriches web applications, but it encapsulates a security flaw that may expose your real IP address (resulting in IP address leaks) even when connected to a VPN.

The fix for the WebRTC vulnerability is simple, and you should use it if you are concerned about your online privacy and security. Also, check the list of VPNs that correctly handle the leak.

What do you think about WebRTC leak? Do you disable WebRTC while connected to a VPN? Feel free to share your thoughts in the comments below.

Recommended read: How to check if your VPN is working and how to test it for data leaks.