Major Windows Security Flaw Leaks VPN Users Real IP Address

2 minute read

Posted by: DeepDotWeb

February 1, 2015

To the author of this article:  We are mailing to your mail, and don’t think you are getting those mails, please contact us from another address.

Just a few days after learning that the Canadian Government is tracking visitors of popular file-sharing sites security researchers have discovered a major security flaw that reveals Windows VPN users real IP address through WebRTC. Linux and Mac OS X users are not affected by this vulnerability as it is specific to Windows users running Google Chrome and Firefox.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP address and their true IP address, as well as local network addresses.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.

Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false. The Tor Browser Bundle includes the NoScript addon with Firefox but Windows users will want to verify that NoScript is configured properly.

While developments like this can appear frightening, the good news is there is a simple fix. The real problem here however is not the fix, but rather the fact that many users will go about their day to day activities without knowledge of this flaw. It is important to be aware of current security issues and ensure that the latest software updates or fixes are applied to remain anonymous and maintain our privacy and security.

More information on what this does is available from the researcher’s github page:

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”

Two of the top anonymous VPN service providers TorVPN and Private Internet Access addressed the vulnerability on their blogs and forums suggesting that their users test for DNS, email, and IPv6 IP address leaks when setting up their service. [See testing resource links below]

How to fix the WebRTC Security Hole

In Chrome browser there is now a free extension available that will patch this problem directly. You can install this add-on from the Chrome Store here.

In Firefox, there are a few more steps to patch the problem. First, type “about:config” directly into the URL bar and hit enter. Then search for “media.peerconnection.enabled” and double click this option to set it to false.

Testing Resources:



IPv6 Leak:

E-Mail IP Leak:

Updated: 2015-02-01