14 DAY TRIAL // The implementation of WebRTC (Web Real-Time Communication) in Google Chrome and Mozilla Firefox allows viewing both the public IP address and the internal one, even if the connection is routed through a VPN server.
WebRTC is an open-source project that provides simple APIs to enable communication (voice calling, video chat, and P2P file sharing) via web apps straight from the browser via a standard set of protocols.
It is currently supported by Chrome, Firefox and Opera web browsers and it also works on mobile platforms Android and iOS.
Privacy plug-ins cannot stop the leak
Researcher Daniel Roesler explains that WebRTC in the two web browsers is configured so that it allows IP address requests to be made to a STUN (Session Traversal Utilities for Nat) server.
A STUN server is contacted via UDP and it allows a client behind a firewall to communicate to a VoIP provider outside the local network. It identifies the gateway IP, as well as the internal one assigned to the client in order to establish direct traffic exchange with it.
The results of the requests are available to JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console.
Furthermore, Roesler says that this is also the reason why privacy enforcing plug-ins such as AdBlock or Ghostery are not capable of blocking them. “This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain,” he says.
Demo code tests browser for the information leak flaw
The developer created code to demonstrate the information leak flaw by making secret requests to STUN servers logging the calls. Roesler published his project on GitHub. The demo shows both the external and internal IP addresses of a client connected via VPN (virtual private network), making possible tracking of the connection route.
The problem is known to Google developers, who dismissed it as a privacy issue, not a security-related one, and could not reach an agreement for a fix since suggested solutions would impact on the functionality of WebRTC.
Disabling WebRTC can be done by installing the WebRTC Block extension for Chrome, while in Firefox the “media.peerconnection.enabled” needs to be set to “false” on the advanced configuration page (about:config).
Tor anonymity web browser is a modified version of Firefox, but it does not come with WebRTC.