16 VPNs leak IP addresses to users via WebRTC

Do you use VPN for security? A researcher () tested 70 different VPN and found that 16 of these revealed the actual IP over WebRTC. The leakage rate reaches 23%.vpn

The full list of VPN providers tested by the researcher is as follows:

Click to see the list of VPNs
VPN
AceVPN
ActiVPN
AirVPN
Anonine
AnonVPN
Anonymizer
AnonymousVPN
Astrill
Avast Secureline
Avira Phantom VPN
AzireVPN
BeeVPN
Betternet
BlackVPN
BlazingVPN/BlazeVPN
block Less
CanVPN
Boxpn
BTGuard
Buffered
CactusVPN
Zeal
ChillGlobal
CrypticVPN
CryptoHippie
CryptoStorm
CyberGhost
CyrenVPN
DefenceVPN
Disconnect.me
DotVPN
EarthVPN
Encrypt.me
ExpressVPN
Faceless.ME
FinchVPN
FlowVPN
flter.me VPN
flter.me “Hardware”
FlyVPN
FoxyProxy
Freedome
Freedom-IP
FrootVPN
FrostVPN
GetFlix
GhostPath
Glype
GooseVPN
GoTrusted
Hide My IP
Hide.me
HideALLIP
HideIPVPN
hideman.net
hide-me.org
HideMyAss
Hello! VPN
Hi! VPN Chrome Extension
Hotspot Shield
HotVPN
HTTP PROXY navigation in browser that support Web RTC
IBVPN
IBVPN browser addon
Identity Cloaker
IncognitoVPN
In-Disguise
IntelliVPN
Internetz.me
IntroVPN
IPinator
IPredator
IPVanish
Iron Socket
Ivacy
IVPN
LeVPN
LibertyShield
LibertyVPN
LimeVPN
LiquidVPN
Mullvad
My Expat Network
My Private Network
MyIP.io
Newshosting
NEXTGenVPN
NordVPN
Norton WiFi Privacy
NVPN
OctaneVPN
OneVPN
Opera (browser) VPN
Over Play
oVPN.com
Perfect Privacy
PHP Proxy
phx.piratebayproxy.co
Private Internet Access
PrivatePackets.io
private tunnel
PrivateVPN
ProtonVPN
ProXPN
Proxy.sh
PRQ
psiphon3
PureVPN
Qnap NAS
RA4W VPN
RootVPN
SaferVPN
SecureVPN.com
SecureVPN.to
SecurityKISS
Seed4.Me
Seedboxes.cc
ShadeYou
SlickVPN
Smart DNS Proxy
SmartHide
SmartHide Proxy
SOCKS as PROXY on browsers with Web RTC enabled
Steganos
StrongVPN
SumRando VPN
SumRando Web Proxy
SunVPN
Surfeasy
Surfeasy Addons
SwitchVPN
Synology NAS
Tails
TGVPN
TigerVPN
TopVPN
TOR as PROXY on browsers with Web RTC enabled
Torguard
TorrentPrivacy
TorVPN
TotalVPN
Traceless.me
Trust.Zone
tunnel Bear
TunnelBear Addons
Tunnelr
TVWhenAway
Unblock VPN
Unblock-Us
Unspyable
usaip
VanishedVPN
VikingVPN
VIP72
VPN Gate
VPN Country
VPN Unlimited
VPN.ac
VPN.Asia
VPN.cc
VPN.ht
VPN.sh
VPN4All
VPNArea
VPNAUS
VPNBaron
VPNbook
VPNJack
VPNMe
VPNSecure
VPNShazam
vpnstaticip.com
VPNTunnel
VPNUK
VyprVPN!
WASEL Pro
WindScribe
Windscribe Addons
WiTopia Personal
WorldVPN
X-VPN
zenmate.com Addons
zenmate.com VPN
Zenvpn.net
ZoogVPN
ZorroVPN
ZPN

What is WebRTC?

WebRTC is a free, open which provides to prebrowsing and mobile applications real-time communication (RTC) capabilities through simple APIs.

It includes fundamental tools for high quality web communications, as well as network, audio and video tools used in chat and video applications. When all of the above can be accessed through a JavaScript API in the browser, allowing developers to easily apply them to their RTC application.

STUN - ICE

It is a tool that allows calls to use the STUN and ICE mechanisms to create connections between different types of networks. The STUN server sends a ping back that contains the IP address and client port.

These STNs (Utilities Traversal Session for NAT) are used by VPNs to translate a local IP address into a new public IP address and vice versa.

To do this, the STUN server maintains a table of both the public IP VPN and the actual IP that you have during the connection.

Your home router has a similar function for translating private IP addresses into public and vice versa.

WebRTC allows requests to STUN servers that return the "hidden" IP address (yes your real IP) as well as the local network addresses of the system used by the user.

The results of the requests can be viewed using JavaScript, but because they are made outside of the normal XML/HTTP request process, they are not visible from the programmer.

The only requirement for this de-anonymizing technique to work is to support WebRTC and JavaScript from the browser.

VPN and WebRTC

The technique can be used for de-anonymize and trace users behind: VPN, SOCKS Proxy, HTTP Proxy and older TOR versions.

The following list contains browsers that have WebRTC enabled

Click to see the list of browsers
Brave
Edge
Epiphany (Gnome)
Firefox
Google Chrome
Google Chrome on Android
Internet (Samsung Browser)
Internet Explorer
Konqueror
NetSurf
Opera
Safari
Tor Browser
Vivaldi

23% of the VPNs and Proxies services tested by the researcher were found to reveal the actual IP.

Protection

Follow these steps to protect your true IP:

  • Disable WebRTC
  • Disable JavaScript (or at least some features, use NoScript)
  • Disable Canvas Rendering (Web API)
  • Always set a DNS fallback for each connection / network adapter
  • Always close browsers before and after using a VPN connection
  • Clean the cache browser, history, and cookies
  • Exclude all outgoing connections outside the VPN provider

PoC:

Check if your VPN reveals your real IP

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

browserscachecookiesI'm sureIP

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).