Deanonymisation of own real IP addresses via WebRTC

Sec5273
Sec5273 Posts: 9 New Member

Hi,

 

Today I read in a German Blog http://stadt-bremerhaven.de/deanonymisierung-webrtc-ip-adressen/ that it's easy possible to find out for others my real public IP address although I use as VPN your new product F-Secure Freedome.

 

I think this is true. In the above mentioned link there is an example mentioned. When I call the Web page https://diafygi.github.io/webrtc-ips/ you see among other things also my own real IP address.

 

Could you please investigate this please?  What is your opionion about this?

Comments

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Thank you for reporting this. 

    We will indeed investigate.

  • alan1
    alan1 Posts: 3

     i saw that article eariler - it seems to be a security hole / feature in chrome and firefox... using internet explorer or safari would not have this issue.... https://github.com/diafygi/webrtc-ips... mine shows up blank here...

     

    here is an extract from the page... "Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript."

     

    if i am understanding this correctly, they get the ip directly from the client's machines - nothing to do with the fact they are running a VPN, as the browser you are using is responding to these scripts and replying it with your local ip... to put it in simplier terms, imagine your browser responding to a nigerian prince with your bank account info... in other words... use any browser except firefox and chrome which have this security flaw...

  • I read the article originally on Torrentfreak. Tested with Google Chrome on Windows with Freedome protection on. Sure enough, the test showed my true ip (external and internal). I installed the extension mentioned in the article, fixed it.

     

    First it was reported it's just a Windows issue, but the same thing happened on my Android device with Freedome (kitkat 4.4.4) with Firefox and Opera. Followed instructions and disabled WebRTC on both browsers, fixed it.

     

    On the comments of that article, some people were also saying some IOS devices had the same thing happen (can't remember which browsers they used).

     

    Of course, without javascript enabled this is not possible. But that of course, breaks many sites if you disable javascript.

  • Sec5273
    Sec5273 Posts: 9 New Member

    On heise.de in this article you find the solution how to block it by yourself:

     

    IE: Currently (?) doesn't have the feature

    Firefox: about:config, serach for media.peerconnection.enabled   and set the value to False

    Chrome: Install the AddOn WebRTC Block ( https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm).

     

    When you call this webpage https://diafygi.github.io/webrtc-ips/ before doting teh above mentioned change and afterwards you see that these fixes work.

     

    I assume this "problem" affects all VPN software in the world and so Freedome as well. Perhaps F-Secure can extend the Freedome settings where the users can change the seetings by Freedome (and Freedome updates the corresponding browser settings) and not manually.

     

    Probably the most of us want to get a little bit more privacy and probably only 5% of all Freedome users know about this problem.

  • yes - can you fix this at all ?

     

    Not that keen to sign up with your service if my real IP addess is leaking because of 

    STUN or WebRTC. I really don't know how it all works BUT its a leak never the less.

     

    I have heard firefox can be configured to fix this BUT I dont like firefox.

     

    Thanks ...... ps otherwise great service.

     

    for more information read http://tinyurl.com/qzocjd6

     

  • Well, even if you install the aforementioned extension to Chrome, it does NOT fix it.

    Just go to http://ipleak.net/ - Bingo!

    That's a total bummer, i really like to prefer Chrome as my primary browser Smiley Sad

  • EABJr
    EABJr Posts: 3

    Hi, any news about that ?

  • axel99
    axel99 Posts: 16 New Member
  • EABJr
    EABJr Posts: 3

    Hi, thank you !

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hi,

     

    I have posted a longer answer to the WebRTC question in another thread, detailing a few options for disabling WebRTC.


    The short answer is that the WebRTC IP address leak is quite real, and a VPN solution such as Freedome can not technically fully defeat it. The problem needs to be addressed within the web browser itself -  by browser configuration changes (or plugins) to disable WebRTC, or by changes made by the browser developers.

  • There is now a working extension for Google Chrome too:

     

    WebRTC Network Limiter (Chrome Store)

     

    Tested after installation using the site IPLeak.net seems to be doing its job.

This discussion has been closed.
Product & Pricing Info