Deanonymisation of own real IP addresses via WebRTC

Aspirant

Deanonymisation of own real IP addresses via WebRTC

Hi,

 

Today I read in a German Blog http://stadt-bremerhaven.de/deanonymisierung-webrtc-ip-adressen/ that it's easy possible to find out for others my real public IP address although I use as VPN your new product F-Secure Freedome.

 

I think this is true. In the above mentioned link there is an example mentioned. When I call the Web page https://diafygi.github.io/webrtc-ips/ you see among other things also my own real IP address.

 

Could you please investigate this please?  What is your opionion about this?

11 REPLIES 11
F-Secure Product Expert
F-Secure Product Expert

Re: Deanonymisation of own real IP addresses via WebRTC

Thank you for reporting this. 

We will indeed investigate.



Best Regards

-Ben

_________________________________

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Highlighted
Scholar

Re: Deanonymisation of own real IP addresses via WebRTC

 i saw that article eariler - it seems to be a security hole / feature in chrome and firefox... using internet explorer or safari would not have this issue.... https://github.com/diafygi/webrtc-ips... mine shows up blank here...

 

here is an extract from the page... "Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript."

 

if i am understanding this correctly, they get the ip directly from the client's machines - nothing to do with the fact they are running a VPN, as the browser you are using is responding to these scripts and replying it with your local ip... to put it in simplier terms, imagine your browser responding to a nigerian prince with your bank account info... in other words... use any browser except firefox and chrome which have this security flaw...

FormerMember
Not applicable

Re: Deanonymisation of own real IP addresses via WebRTC

I read the article originally on Torrentfreak. Tested with Google Chrome on Windows with Freedome protection on. Sure enough, the test showed my true ip (external and internal). I installed the extension mentioned in the article, fixed it.

 

First it was reported it's just a Windows issue, but the same thing happened on my Android device with Freedome (kitkat 4.4.4) with Firefox and Opera. Followed instructions and disabled WebRTC on both browsers, fixed it.

 

On the comments of that article, some people were also saying some IOS devices had the same thing happen (can't remember which browsers they used).

 

Of course, without javascript enabled this is not possible. But that of course, breaks many sites if you disable javascript.

Aspirant

Re: Deanonymisation of own real IP addresses via WebRTC

On heise.de in this article you find the solution how to block it by yourself:

 

IE: Currently (?) doesn't have the feature

Firefox: about:config, serach for media.peerconnection.enabled   and set the value to False

Chrome: Install the AddOn WebRTC Block ( https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm).

 

When you call this webpage https://diafygi.github.io/webrtc-ips/ before doting teh above mentioned change and afterwards you see that these fixes work.

 

I assume this "problem" affects all VPN software in the world and so Freedome as well. Perhaps F-Secure can extend the Freedome settings where the users can change the seetings by Freedome (and Freedome updates the corresponding browser settings) and not manually.

 

Probably the most of us want to get a little bit more privacy and probably only 5% of all Freedome users know about this problem.

Novice

Re: Deanonymisation of own real IP addresses via WebRTC

yes - can you fix this at all ?

 

Not that keen to sign up with your service if my real IP addess is leaking because of 

STUN or WebRTC. I really don't know how it all works BUT its a leak never the less.

 

I have heard firefox can be configured to fix this BUT I dont like firefox.

 

Thanks ...... ps otherwise great service.

 

for more information read http://tinyurl.com/qzocjd6

 

FormerMember
Not applicable

Re: Deanonymisation of own real IP addresses via WebRTC

Well, even if you install the aforementioned extension to Chrome, it does NOT fix it.

Just go to http://ipleak.net/ - Bingo!

That's a total bummer, i really like to prefer Chrome as my primary browser Smiley Sad

Scholar

Re: Deanonymisation of own real IP addresses via WebRTC

Hi, any news about that ?

Aspirant

Re: Deanonymisation of own real IP addresses via WebRTC

You can now block the webrtc leak in Chrome 42 by making an edit to a file:

http://www.wilderssecurity.com/threads/websites-can-use-webrtc-to-determine-your-local-ip-address.37...

 

 

Scholar

Re: Deanonymisation of own real IP addresses via WebRTC

Hi, thank you !