Home of internet privacy

Explaining the WebRTC IP leak vulnerability affecting some web browsers

UPDATE: December 6, 2017

ExpressVPN has a great new WebRTC leak test page to help you check for and learn about WebRTC leaks.

For Chrome users: Good news! webrtc.org has just released its official fix for preventing leaks on Google Chrome. You can get it from the chrome web store here and double check that it’s working here.

Firefox users: If you’re in Firefox, you can use this fix:

  1. Type about:config in the address bar of Firefox.
  2. Click on “I’ll be careful, I promise!” (or some security message similar to that) [the message depends on the version of Firefox you have]
  3. A list will open with a search bar above. In that search bar, please type: media.peerconnection.enabled and hit enter.
  4. When the result comes up, double-click on it to turn its value to false.
  5. Close the tab to finish the procedure.

 


 

There’s a security issue reported last week affecting some web browsers, mostly Chrome and Firefox on Windows, although OSX users are affected too. The risk is that a malicious website might obtain a visitor’s true IP address even if the user is connected to a VPN. For example:

  1. A user visits the malicious website, which triggers the browser to run some Javascript.
  2. The Javascript uses a vulnerable feature in the browser called WebRTC to find out the computer’s true IP address, then reveals it to the operator of the malicious site.

Use the following steps to check if you’re affected and mitigate the issue if necessary:

  1. Connect to a VPN.
  2. Open our WebRTC Test. <– this test is only relevant if you use it while connected to a VPN. 
  3. If your browser is secure, you should see something like this:
  4. If your browser is affected by this issue, you’ll see this message:

    To fix, try the following steps:
    1. Chrome: Install the WebRTC Block extension.
    2. Firefox: Type about:config into the address bar, search for media.peerconnection.enabled, and toggle its setting to false.
  5. Close your browser and open our WebRTC Test again to confirm that the site can no longer determine your true IP address.

 

We’re waiting to see what the teams at Chrome and Firefox will do about this. Hopefully, they’ll disable the WebRTC feature by default and allow users to choose whether they want to enable it.