Jump to content

Firefox and Chrome leak VPN users' local IP


cooper
 Share

Recommended Posts

WebRTC (Real Time Communication) is a W3C standard for direct browser-to-browser communication.
As it turns out, the implementation of the protocol in Firefox and Chrome is such that it can be used to retrieve your local IP, even when using a VPN. All it takes is for your attacker to serve you with a bit of javascript. According to this article it requires Windows.

Desktop versions of both Firefox and Chrome are vulnerable, as well as the Android version of Chrome. A chrome plugin exists which blocks WebRTC. Firefox users can disable WebRTC via about:config by setting media.peerconnection.enabled to false. It would appear no other browser implements the standard yet.

It was reported in dutch media that Tor, typically provided with a Firefox install, is not susceptible to this problem.

Link to comment
Share on other sites

Nice. I never even heard of it till you posted this. Just disabled it on my phone. Wonder if he newer opera browsers implement it since they work of a chrome form of blink now. Will have to check when I get home tonight.

Link to comment
Share on other sites

This article suggests the Chome plugin works on Chromium-based browsers such as Opera aswell. Note that it also claims that you can still disable the feature in the Android version of Chrome by setting chrome://flags/#disable-webrtc to enable.

Link to comment
Share on other sites

Newest opera has a "opera://flags/" link as well. Just looked, RTC is not on or enabled it seems by default(although I am using the USB version, not full install - this may be enabled by default with no way to turn off, so not 100% sure if on or off).

FUj30k3.png

I wonder if we can script something to put on a site and let people check if its enabled or not, since that could be useful for future use in newer browsers that come out implementing the w3c standard? Maybe make the source code available so people can run it locally to check too vs having to trust a site, put it up on git or something. - I'm an idiot, just looked at the link you posted to git /me gets ticket for failbus..

Hopefully the gap in what they do to fix this from a privacy standpoint allows for an option in later versions for if you need/want to allow direct connect through VPN be made available, if say, sharing media files with friends, they can verify you over the VPN in a webapp if one such ever comes to be using this protocol. From what I can see, this is used with video files only at the moment though? So guessing its more for video conferencing or streaming, while the specs say allowing access to media from your PC, browser to browser, maybe like, stream from your desktop some video to a phone or tablet in another room, although, that seems counter productive to just setting up a normal webserver. The blurring of lines these days between a browser and an all in one product is nauseating. Chrome has its own RDP app now if you look in the appstore, which lets you essintially view and use your PC from your phone if you want to remote in, which if I wanted to use RDP, I'd probably NOT prefer to be using it via a google app or with my browser when everything probably is seen through google anyway. (https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en )

Opera introduced a web server and bit torrent client in their older browsers years ago, while they also had built in IRC and a mail client(which I liked and use(d), but disabled the bit torrent and web server features in "about:config"). I don't care as much for their newer version except its faster than the 12.x branch and works better with canvas based sites that need more horsepower to run things, such as game emulators. The newer blink/chrome based version lacks all the things I loved about Opera from the 12 and older branches though, so I still use both side by side.

http://www.w3.org/TR/webrtc/

Detect if its on: https://www.browserleaks.com/webrtc

looks like my VPN works and it didn't return my IP in either instance, but I don't know that I like the bottom part I blacked out since to me that's kind of like the old IE Super-Cookie shit people used to use to track you online with. After refreshing, it's still the same essentially, so its another metric way to identify an end user I guess if you use it for legit purposes, but I can see that being abused quickly the more ad companies and such become aware of it. Not sure how unique the key is or if it can be used like a physical mac address, but that's not the most encouraging thing to see so I'll look to try the plug-in and see what happens.

http://i.imgur.com/HU3f830.png

Edited by digip
Link to comment
Share on other sites

Those looking to install the block tool for Opera, start here first:

https://addons.opera.com/en/extensions/details/download-chrome-extension-9/

then go to https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm and the webrtc will be able to install. Otherwise, it will say only for Chrome.

My results after successful install of the extension:

http://i.imgur.com/2yMOYn0.png

:)

Another interesting leak your browser does you can't disable, a Canvas ID. Opera, doesn;t(at least mine) show up as what it is, but FireFox is known, and it tells me I'm running FF on Windows

https://www.browserleaks.com/canvas

This is one of those things I was talking about that could be used in some manner for basic gathering in putting together pipe between two end points, since its unique to the user visiting, but not sure if I like the idea of a permanent identifier without ways to be prompted to use it, since its not an option I can see to disable, nor per site opt-in or out other than disabling JavaScript since Canvas in part relies on JS.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...