Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many VPN Providers Leak Customer's IP Address via WebRTC Bug (bleepingcomputer.com)

Posted by msmash on from the you-had-one-job dept.

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.

42 of 83 comments (clear)

  1. How are VPN providers supposed to stop this? by Anonymous Coward · · Score: 1

    Disable WebRTC, you dumb shits.

    1. Re:How are VPN providers supposed to stop this? by jellomizer · · Score: 1

      Being that many didn't know about this vulnerability. beforehand it means Disabling WebRTC may effect features that their customers expect.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:How are VPN providers supposed to stop this? by barc0001 · · Score: 4, Insightful

      Not everyone can be expected to be an expert in security. That's like saying if you get on a plane that hasn't had its maintenance done and it crashes, it was your fault for getting on the plane without knowing what its maintenance status was.

    3. Re:How are VPN providers supposed to stop this? by Anonymous Coward · · Score: 1

      You can't disable WebRTC on Chrome, true story

    4. Re:How are VPN providers supposed to stop this? by jellomizer · · Score: 1

      From Wikipedia:

      WebRTC (Web Real-Time Communication) is a free, open-source project that provides web browsers and mobile applications with real-time communication (RTC) via simple application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.[1] Supported by Google, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).[2]

      It would seem just going and disabling the feature may cause some angry customers calling and complaining.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:How are VPN providers supposed to stop this? by jellomizer · · Score: 1

      It is also the responsibility of everyone else that you use services of as well.
      If I cross the street and fall down an open manhole cover.
      I am responsible for keeping an eye on where I am looking.
      The person who opened the manhole cover is responsible for blocking off the area for others to see that it is open.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:How are VPN providers supposed to stop this? by sexconker · · Score: 1

      Nobody fucking needs or wants WebRTC.

    7. Re:How are VPN providers supposed to stop this? by svanheulen · · Score: 1

      Except in this "story" the plane (VPN) has had it's maintenance done... and then the passenger (user) brings a bomb (WebRTC) on the plane. If you, or the software you use, willingly sends your real IP address through your VPN, that's not the fault of the VPN.

    8. Re:How are VPN providers supposed to stop this? by Anonymous Coward · · Score: 1

      Just like it's always the victim's fault for being in the wrong place at the wrong time when they're murdered. Their fault for not fully understanding everything and everyone they chose to be around, right? Or maybe you're dumb as all hell.

    9. Re:How are VPN providers supposed to stop this? by ichimunki · · Score: 1

      Oh come on! This is Internet101 stuff that anyone can do. I run a private VPN at home using a little Raspberry Pi server (used to be a Mac mini, but trying to go all open source) before my browser traffic even goes out the cable modem. That way even my ISP doesn't know where the traffic is coming from.

      --
      I do not have a signature
    10. Re:How are VPN providers supposed to stop this? by jellomizer · · Score: 1

      But Flash support is going out, and I don't even know if RealPlayer is still in existence.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    11. Re:How are VPN providers supposed to stop this? by barc0001 · · Score: 2

      > and then the passenger (user) brings a bomb (WebRTC) on the plane

      Your analogy doesn't work because your passenger knows they're bringing a bomb onto the plane. I bet you $100 that 99 out of 100 VPN customers have never heard of WebRTC, let alone know what it does and certainly don't know it breaks the VPN's privacy.

    12. Re:How are VPN providers supposed to stop this? by barc0001 · · Score: 1

      > Oh come on! This is Internet101 stuff that anyone can do.

      Does your mom or your brother or uncle or cousin run a VPN with an RPi? Did they set it up themselves? If not, why not?

      Internet 101 is AOL level knowledge for most of the population, the people who post to /. have just a little more expertise than the average person...

    13. Re:How are VPN providers supposed to stop this? by svanheulen · · Score: 2

      Nope, my analogy works perfectly. I didn't specify that the passenger knew. Even if the passenger unknowingly brought the bomb on the plane, the plane was still properly maintained and so that is not the cause of the crash. It's WebRTC that leaks your IP, not the VPN. The VPN has no control over what (buggy) software you use, just like it can't stop you from posting your real IP on Twitter.

    14. Re: How are VPN providers supposed to stop this? by Brockmire · · Score: 1

      Pilots: ignore this guy. You guys better not get on the plane without knowing the maintenance schedule.

    15. Re: How are VPN providers supposed to stop this? by Brockmire · · Score: 1

      What? Your ISP will see the traffic come from your pi. Your connection to the pi is encrypted, your DNS lookups from pi to whatever DNS server is easily known by ISP. Did you poorly explain your setup?

    16. Re: How are VPN providers supposed to stop this? by barc0001 · · Score: 1

      I'm sure the guy sitting in 24c is a pilot, as is the lady in 14b...

    17. Re:How are VPN providers supposed to stop this? by AHuxley · · Score: 1

      Put the users computer behind a fast ethernet router with the VPN crypto.
      A really great router with the chipset to keep up with the ISP and secure VPN crypto in real time.
      That would ensure the browser, OS, add ons, plug ins, extensions, malware, ads can only see the internet as a VPN ip.
      From the most normal ways around a VPN in the OS.

      The security services just collect it all in real time without much effort globally.

      --
      Domestic spying is now "Benign Information Gathering"
    18. Re: How are VPN providers supposed to stop this? by x_t0ken_407 · · Score: 1

      I was thinking the exact same thing! I was wondering if he knew that the VPN is still getting it's IP from the ISP and that traffic from it is not encrypted...

  2. Re:No The VPNs Did Not Leak IPs by Dr_Harm · · Score: 1

    It looks to me like the STUN server is the one doing the leaking. And that's a function of whatever WebRTC service you're using, not your VPN provider or your browser.

  3. The bug and the way around it by Xenna · · Score: 5, Informative

    I just discovered this bug today myself by chance, but AFAIK if you're using NAT (which most of us do) this will only reveal your 'local' IP addres, usually something like 192.168.0.x. Still nasty, but it won't immediately identify you.

    Also, there's an ad blocker plugin for most popular browsers (uBlock Origin) that has an optional setting that blocks this.

    Test for the vulnerability here:

    https://www.whatismybrowser.co...

    The page will reveal your local IP if your browser is vulnerable (no VPN needed).

    1. Re:The bug and the way around it by Bruce+Perens · · Score: 4, Interesting

      It did reveal my local-network IPV4 address behind NAT, which is of little use to anyone. But it also showed my public IPV6 address, which is no surprise because there's no NAT. That's the dangerous one. I am not using a VPN, but if it was using one to conceal my identity this would reveal a traceable IP address.

      --
      Bruce Perens.
    2. Re:The bug and the way around it by Anonymous Coward · · Score: 1

      Not possible to detect your local IP.

      I disabled webrtc in firefox the instant i updated to the version which included it. I want a web browser not a god damn app platform. Every new 'feature' is just another attack surface.

      FYI
      about:config
      media.peerconnection.enabled = false

    3. Re:The bug and the way around it by Bruce+Perens · · Score: 2, Insightful

      You discovered this just now? I made that conclusion years ago while surfing to a porn site.

      I must confess to being that boring sort of individual who doesn't really have anything to hide. At least yet, the way things are going it could get to the point that every civil person will need to hide.

      Thus, I haven't been using any sort of concealment technology and haven't concerned myself with the fact that my IP address can be identified.

      At the moment it's still legal for you to look at that porn site. Although if those people who take Cosmo off the shelves in stores have anything to say about it, it won't be. FYI, they have nothing to do with #metoo and are just a prudish religious organization. And their behavior concerns me.

      --
      Bruce Perens.
    4. Re:The bug and the way around it by Lost+Race · · Score: 1

      Everyone has something to hide. Maybe you just don't know what yours is yet. By the time you find out it will be too late. Best to bide everything you possibly can.

    5. Re:The bug and the way around it by cerberusss · · Score: 1

      I must confess to being that boring sort of individual who doesn't really have anything to hide

      For now. However next year, your particular idiosyncrasies and/or opinions could easily become politically incorrect.

      --
      8 of 13 people found this answer helpful. Did you?
  4. Private Internet Access by Anonymous Coward · · Score: 1

    The google doc suggests it's vulnerable but visiting https://ip.voidsec.com/ myself everything looked fine. The google doc references https://www.vpncompare.co.uk.

    There's nothing about WebRTC in the review of PIA (https://www.vpncompare.co.uk/private-internet-access-review/)

    This article about it going open source only mentions WebRTC in the context of a chrome extension blocking IP discovery (https://www.vpncompare.co.uk/private-internet-access-vpn-taking-to-the-open-source-road/)

    I just tried https://ipx.ac/run however and it's clear that Flash is leaking my IP address. I'm using Firefox so it was as easy as going into Add-ons and changing activation from Always to Ask.

    Moral of the story? Get on your VPN and try https://ipx.ac/run

  5. VPN Overload by ArhcAngel · · Score: 1

    I started looking at VPN providers and stumbled across this guys site. Talk about information overload! I don't know anything other than what he has posted but by the looks of it he has way more free time than I do. So if your VPN is "leaking" this might be a good source for deciding who your next VPN provider will be.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:VPN Overload by pnutjam · · Score: 2

      AirVPN and PIA are not on that list. PIA is US based, which some might like, but some might not. Air is based in France, still 5 eyes, but Euro privacy protection.

      --
      Cheap storage VM.
    2. Re:VPN Overload by jaa101 · · Score: 1

      Air is based in France, still 5 eyes

      I thought the five were US, UK, Canada, Australia and New Zealand. What's your issue with France?

    3. Re:VPN Overload by pnutjam · · Score: 1

      I thought Eurozone was part of the five eyes, consider me corrected.

      --
      Cheap storage VM.
  6. Chrome and Firefox Only by petermp · · Score: 1

    Let's be a little bit more specific. The bug works with Chrome, Firefox and Opera. Both IE and Seamonkey are not affected. Not sure about Edge....

    1. Re:Chrome and Firefox Only by E-Rock · · Score: 1

      Edge and IE have webRTC disabled by default. So the MS browsers are safe. I know, I was shocked too. :)

  7. Re:Yep by E-Rock · · Score: 1

    It's probably your cookies that are revealing where you are.

  8. The elephant in the room is the browser. by Anonymous Coward · · Score: 2, Insightful

    As always (see the Facebook discussion), the browser mutated from a hypertext viewing application into a spyware executing monster, a thing picking up random executables off the 'net and colluding with everyone out there against the user.

    The sad part is that even Mozillians have been carried away by "oh, shiny!" and "ours is the fastest javascript engine" instead of throwing some weight into keeping the javascript-free web viable.

  9. Re:No The VPNs Did Not Leak IPs by torqer · · Score: 1

    in my Experience with a webrtc phone... Chrome leaks it. Firefox doesn't.

  10. Re: When will a VPN provider get hacked? by Brockmire · · Score: 1

    If you buy VPS during promos, you can get one for $12/year. I have some for $6/year. I got a promo for 5 IPv4 with 2GB and 2 cores for $20/year. The cost difference is my time.

  11. Re:Still not as bad as DNS leaks by pnutjam · · Score: 1

    I'm in the process of setting up a pi-hole that uses my VPN providers dns upstream.

    --
    Cheap storage VM.
  12. Re:your vpn client should be hardware.. by AHuxley · · Score: 1

    1+ AC. make it external to the OS and the computer. The last step on the network out.

    --
    Domestic spying is now "Benign Information Gathering"
  13. Re:NOT a solution! by Xenna · · Score: 1

    You're right of course. I remember playing with 'beef' sometime and that was pretty sobering.

    https://www.hacking-tutorial.c... (you don't even need to use XSS if you own the site)

  14. Sigh by ledow · · Score: 1

    Nothing to do with the VPN.

    For a start, they shouldn't be opening packets and inspecting protocols, so they can't "fix" this for you in any way, shape or form, if they're doing their job.

    This is the browser talking to an outside STUN server deliberately saying "My internal IP is X.X.X.X". The VPN shouldn't be interfering with that. No VPN (hardware or software) should be combatting that.

    If you're worried about it, don't use browsers that do that.

    VPNs are NOT there to provide protection from data-escape. They are there to provide a secure unmonitorable connection to a device that may then connect to the Internet. EVERYTHING on the other end is monitorable anyway. And if you're literally sending your IP address via STUN, or in an email, or by telling people it on the web, a VPN is not even supposed to know, let alone try to stop you (which it can't).

    This is a case of people culminating "VPN" and "web proxy", and then using a piece of software that talks entirely different protocols out anyway, and does so at your request, and expecting the VPN provider to "just take care of my own stupidity".

    I mean, I'm quite glad. Stupid criminals are the ones most easily caught, so they will just think they are safe because they bought some $5/month VPN and they can't possibly be found when planning their acts of terrorism, illegal acts, software piracy, whatever it may be. But if you're using a VPN like this to just bypass a content restriction, or to enable you to browse without people casually snooping on you, and not for 100% anonymity, then you're pretty much unaffected.

    However, if I demanded secure anonymous access to a resource, a commercial web browser of any kind probably wouldn't figure very highly at all. There's just too much junk in there from javascript and cookies to WebRTC (a lovely useful technology), extensions, automatic-updates, history recording, etc. etc. etc.

    Honestly, if you're doing something critical for which you don't want to ever be identified, then... this is not the answer. It's not even close to the answer. For a start, paying a VPN provider is a really dumb idea, even if you do it with Bitcoin. Let alone "hoping" that they aren't secretly complying with FBI etc. orders to open their logs etc. (I'm sure if I was an intelligence agency, I'd find a way to own at least one major VPN provider claiming to provide anonymity myself, even if it meant setting it up from scratch and operating it like any other business without any formal contact).

    If you want to be "private", then asking a bunch of computers along the way, all belonging to different people, corporations and nations, to keep your secret is really stupid.

  15. Won't happen on Pale Moon by Rexdude · · Score: 1

    Pale Moon intentionally does not support WebRTC:

    WebRTC. Apart from opening up a whole can of worms security/privacy-wise, "Web Real Time Chat" (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in.

    --
    "..One hosts to look them up, one DNS to find them, and in the darkness BIND them."