News

Published on January 31st, 2015 📆 | 1574 Views ⚑

0

Massive security flaw involving WebRTC reveals VPN users real IP addresses


https://www.ispeech.org/text.to.speech

A massive security flaw has been discovered that allows VPN users home IP-addresses to be see through a flaw involving WebRTC.

Currently the vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to be limited to Windows machines.

[adsense size='1']

The mechanics of the vunerability involves websites that make requests to STUN servers and log usersā€™ VPN IP-address as well as the ā€œhiddenā€ home IP-address, in a local network addresses.

Daniel Roesler, a developer has published a demo on github that allows people to check if they are affected by the security flaw.

The demo claims that browser plugins canā€™t block the vulnerability, but this is not entirely true. As there are a few fixes available to patch the security hole.

For Chrome users, you should install the WebRTC block extension or ScriptSafe which should block the vulnerability.





[adsense size='1']

For Firefox users, you should use the NoScript addon or Alternatively, you can type ā€œabout:configā€ in the address bar and set the ā€œmedia.peerconnection.enabledā€ setting to false.

Ben Van Der Pelt, TorGuardā€™s CEO, said that tunneling the VPN through a router is another fix and is quoted saying.
ā€œPerhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding oneā€™s real IP, During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes.ā€

As is always the case, all VPN and proxy users should regularly check if their connection is secure. This also includes testing against DNS leaks and proxy vulnerabilities.

Tagged with: ā€¢ ā€¢ ā€¢ ā€¢ ā€¢



Comments are closed.