An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication), an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins.
AFFECTED PRODUCTS
Late last month, security researchers revealed a massive security flaw that enables website owner to easily see the real IP addresses of users through WebRTC, even if they are using a VPN or even PureVPN to mask their real IP addresses.
The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability.
HOW DOES THE WebRTC FLAW WORKS
WebRTC allows requests to be made to STUN (Session Traversal Utilities for NAT) servers which return the "hidden" home IP-address as well as local network addresses for the system that is being used by the user.
The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console. This means that the only requirement for this to work is WebRTC support in the browser and JavaScript.
CHECK YOURSELF NOW
A demonstration published by developer Daniel Roesler on GitHub allows people to check if they are affected by the security glitch.
Also, you can go through the following steps in order to check if you're affected:
- Connect to ExpressVPN
- Visit https://ipleak.net
- If your browser is secure, you should see something like this:
- If your browser is affected by this issue, you'll see information about your true IP address in the WebRTC section.
HOW TO PROTECT YOURSELF
Luckily the critical security flaw is quite easy to fix.
For Chrome users :
Google Chrome and other Chromium-based browser users can install the WebRTC Block extension or ScriptSafe, which both reportedly block the vulnerability.
For Firefox Users :
In case of Firefox, the only extensions that block these look ups are JavaScript blocking extensions such as NoScript. To fix, try the following steps:
- Type about:config in the browser's address bar and hit enter.
- Confirm you will be careful if the prompt appears.
- Search for media.peerconnection.enabled.
- Double-click the preference to set it to false.
- This turns of WebRTC in Firefox.