Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many VPN Providers Leak Customer's IP Address via WebRTC Bug (bleepingcomputer.com)

Posted by msmash on from the you-had-one-job dept.

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.

8 of 83 comments (clear)

  1. Re:How are VPN providers supposed to stop this? by barc0001 · · Score: 4, Insightful

    Not everyone can be expected to be an expert in security. That's like saying if you get on a plane that hasn't had its maintenance done and it crashes, it was your fault for getting on the plane without knowing what its maintenance status was.

  2. The bug and the way around it by Xenna · · Score: 5, Informative

    I just discovered this bug today myself by chance, but AFAIK if you're using NAT (which most of us do) this will only reveal your 'local' IP addres, usually something like 192.168.0.x. Still nasty, but it won't immediately identify you.

    Also, there's an ad blocker plugin for most popular browsers (uBlock Origin) that has an optional setting that blocks this.

    Test for the vulnerability here:

    https://www.whatismybrowser.co...

    The page will reveal your local IP if your browser is vulnerable (no VPN needed).

    1. Re:The bug and the way around it by Bruce+Perens · · Score: 4, Interesting

      It did reveal my local-network IPV4 address behind NAT, which is of little use to anyone. But it also showed my public IPV6 address, which is no surprise because there's no NAT. That's the dangerous one. I am not using a VPN, but if it was using one to conceal my identity this would reveal a traceable IP address.

      --
      Bruce Perens.
    2. Re:The bug and the way around it by Bruce+Perens · · Score: 2, Insightful

      You discovered this just now? I made that conclusion years ago while surfing to a porn site.

      I must confess to being that boring sort of individual who doesn't really have anything to hide. At least yet, the way things are going it could get to the point that every civil person will need to hide.

      Thus, I haven't been using any sort of concealment technology and haven't concerned myself with the fact that my IP address can be identified.

      At the moment it's still legal for you to look at that porn site. Although if those people who take Cosmo off the shelves in stores have anything to say about it, it won't be. FYI, they have nothing to do with #metoo and are just a prudish religious organization. And their behavior concerns me.

      --
      Bruce Perens.
  3. The elephant in the room is the browser. by Anonymous Coward · · Score: 2, Insightful

    As always (see the Facebook discussion), the browser mutated from a hypertext viewing application into a spyware executing monster, a thing picking up random executables off the 'net and colluding with everyone out there against the user.

    The sad part is that even Mozillians have been carried away by "oh, shiny!" and "ours is the fastest javascript engine" instead of throwing some weight into keeping the javascript-free web viable.

  4. Re:How are VPN providers supposed to stop this? by barc0001 · · Score: 2

    > and then the passenger (user) brings a bomb (WebRTC) on the plane

    Your analogy doesn't work because your passenger knows they're bringing a bomb onto the plane. I bet you $100 that 99 out of 100 VPN customers have never heard of WebRTC, let alone know what it does and certainly don't know it breaks the VPN's privacy.

  5. Re:How are VPN providers supposed to stop this? by svanheulen · · Score: 2

    Nope, my analogy works perfectly. I didn't specify that the passenger knew. Even if the passenger unknowingly brought the bomb on the plane, the plane was still properly maintained and so that is not the cause of the crash. It's WebRTC that leaks your IP, not the VPN. The VPN has no control over what (buggy) software you use, just like it can't stop you from posting your real IP on Twitter.

  6. Re:VPN Overload by pnutjam · · Score: 2

    AirVPN and PIA are not on that list. PIA is US based, which some might like, but some might not. Air is based in France, still 5 eyes, but Euro privacy protection.

    --
    Cheap storage VM.