You may have recently heard about the potentially harmful flaw in the WebRTC STUN protocol – a security risk that affects some modern web browsers and users connected to VPN services. The vulnerability can leak VPN users’ original IP addresses, allowing malicious third party websites to harness information on your whereabouts. Unfortunately the problem isn’t related to your provider and cannot be fixed on the side of the server, however the issue can be fixed manually.
What is WebRTC?
WebRTC (Web Real-Time Communication) is an open web framework initially developed by the World Wide Web Consortium (W3C) that supports inter-browser communication as well as applications for voice calling, video chat and P2P file-sharing without requiring additional plugins. This standard resolves communicational problems such as incompatibilities in real-time. In short, and as a most common example, WebRTC acts as a data bridge for audio and video communications between browsers, acting as a substitute for standalone software applications.
Browsers affected by the WebRTC flaw
- Google Chrome
- Mozilla Firefox
- Other Chromium browsers
Does it affect you?
To find out if the flaw is causing your browser to leak your IP details, connect to your VPN and run this WebRTC test. If the Public IP address field displays the IP of your VPN server, your browser is not being affected. However, if it is displaying your original IP, despite you being connected to a VPN, your personal IP information, including location, is being compromised by the leak and is vulnerable for exploitation by malicious websites.
How to fix it
If the test came back showing your original IP, then it’s time to resolve the issue manually. Essentially, you would want to disable WebRTC, but if this option isn’t available in your favourite browser, there are alternative steps you can take. Here’s a rundown on all of them:
Chrome (desktop version): WebRTC is enabled by default in Chrome, and unfortunately, it’s one of the browsers where the feature cannot be switched off in settings. One of the better options is to install the WebRTC Block extension by Browserleaks.com. Note that when using Incognito mode, you will need to check “Allow in incognito mode” in the browser extension settings.
Additionally, some providers offer their own solutions, such as the VPN.AC SecureProxy Chrome extension, which eliminates the need to download the aforementioned WebRTC Block. Note that a VPN.AC account is required to use the proxy, as this extension will ask for your account login details.
Chrome (mobile version): To disable WebRTC on the mobile version of Chrome, type chrome://flags/#disable-webrtc in the URL address bar, then select “Enable”. Google’s wording is a bit confusing here, as ‘enabling’ the option will actually disable the WebRTC function. The result should be the same as in our screenshot below. For the changes to take full effect, you will need to relaunch the browser on your device.
Firefox (desktop and mobile): In the browser, type about:config in the URL bar and search for media.peerconnection.enabled. Double click the option so it is set to False. The browser will need to be restarted for changes to take effect.
As Firefox is an open source browser, you can also find useful add-ons such as NoScript Security Suite, which is designed to enhance in-browser privacy, and works by disabling unsecure or harmful scripts, including WebRTC and more.
Opera (desktop version): To disable WebRTC in Opera, first download the Chrome extension. This will enable you to download native Chrome extensions, such as WebRTC Block or VPN.AC SecureProxy. As mentioned before, an account is required to use the latter. Upon download of a Chrome extension, the browser will prompt you that the source is untrusted, therefore you will need to manually enable it on the opera:extensions page. Currently, we haven’t stumbled upon a fix for Opera Mobile, but will update this section once we do.
Using a VPN router
One way to circumvent any potential IP leaks is by running VPN through your router. As the traffic is tunneled directly over the local internet connection, your IP should be secure from the get-go. However, ensure to delete the default gateway bound to your Local Network interface after having established the VPN connection, as we found some users on the OpenVPN support forum (Link 1 and Link 2) report that WebRTC can still leak your IP without using your own VPN provider’s custom gateway. Instructions on how to do this can be found here. As a precautionary measure, it is still recommended to disable WebRTC in your browser using the instructions above.
On a final note, another privacy step that we strongly recommend is preventing your device from leaking your DNS information. You can find out how to prevent DNS leaks in this article.