VPN Leak

Back to Posts

VPN Leak

(Edited on 06/04: in order to reflect the actual situation)

TL:DR: VPN leaks users’ IPs via WebRTC.
I’ve tested hundred VPN and Proxy providers and 19 of them leaks users’ IPs via WebRTC (16%)

Some time ago, during a small event in my city, I’ve presented a small research on “decloaking” the true IP of a website visitor (ab)using the WebRTC technology (thx to wsx for the tip).

What is WebRTC?

WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.

It includes the fundamental building blocks for high-quality communications on the web, such as network, audio and video components used in voice and video chat applications, these components, when implemented in a browser, can be accessed through a JavaScript API, enabling developers to easily implement their own RTC web app.

STUN/ICE

Is a component allowing calls to use the STUN and ICE mechanisms to establish connections across various types of networks. The STUN server sends a ping back that contains the IP address and port of the client

These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.).

WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.

The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console.

The only requirement for this de-anonymizing technique to work is WebRTC and JavaScript support from the browser.

VPN and WebRTC

This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and, in the past, TOR users.

Browsers that have WebRTC enabled by default:

  • Brave
  • Edge (it does not leaks at the moment since it doesn’t support ‘createDataChannel’)
  • Epiphany (Gnome)
  • Mozilla Firefox
  • Google Chrome
  • Google Chrome on Android
  • Internet (Samsung Browser)
  • Opera
  • Safari
  • Vivaldi

16% of the tested VPNs and Proxies services disclosed the real IP address of the visitors making the users traceable.

The following providers leaks users’ IP:

  • Astrill
  • BlackVPN
  • ChillGlobal (Chrome and Firefox Plugin)
  • CyrenVPN
  • Glype (Depends on the configuration)
  • hide-me.org
  • Hola!VPN
  • Hola!VPN (Chrome Extension)
  • Hoxx VPN (Firefox Browser Plugin)
  • HTTP PROXY in browser that support Web RTC
  • IBVPN (Browser Addon)
  • PHP Proxy
  • phx.piratebayproxy.co
  • psiphon3 (not leaking if using L2TP/IP)
  • SmartHideProxy
  • SOCKS Proxy on browsers with Web RTC enabled
  • SumRando Web Proxy
  • TOR as PROXY on browsers with Web RTC enabled
  • Windscribe Addons (Browser Extension/Plugin)

You can find the complete spreadsheet of tested VPN providers here: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0

Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different payed VPN services :P)

Stay anonymous while surfing:

Some tips to follow in order to protect your IP during the internet navigation:

  • Disable WebRTC
  • Disable JavaScript (or at least some functions. Use NoScript)
  • Disable Canvas Rendering (Web API)
  • Always set a DNS fallback for every connection/adapter
  • Always kill all your browsers istances before and after a VPN connection
  • Clear browser cache, history and cookies
  • Drop all outgoing connections except for VPN provider

PoC:

You can check if your VPN leaks through this POC: http://ip.voidsec.com

PoC Code:

I’ve updated Daniel Roesler code in order to make it works again and you can find it on Github.

Share this post

Back to Posts