Security

Network admins: These VPNs might leak your IP address

According to a VoidSec report, 23% of VPNs leak IP addresses via a WebRTC vulnerability.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • 23% of VPN providers leak user IP addresses through a WebRTC bug that's been around since 2015. — VoidSec, 2018
  • To browse anonymously, users should start by disabling WebRTC, JavaScript (or at least some functions, and Canvas Rendering. — VoidSec, 2018

Despite their purported use to protect user anonymity while browsing the internet, 23% of VPN providers may actually leak user IP addresses, according to a security report from VoidSec.

According to Paolo Stagno, the researcher who runs the VoidSec security blog, the issue stems from a bug in the open source WebRTC project. The particular vulnerability, discovered all the way back in 2015, has to do with WebRTC STUN servers, which can record public and private IP addresses in JavaScript.

Even worse is that the recorded IP addresses can be disclosed if a certain website already has a WebRTC connection established. Of the 83 VPN apps Stagno tested, 17 were found to be leaking information on the IP addresses, according to the report.

SEE: Network security policy (Tech Pro Research)

"This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and in the past (TOR users)," Stagno wrote in the report.

Of the VPN providers tested, here are the ones that leaked IP addresses:

  • BolehVPN (USA Only)
  • ChillGlobal (Chrome and Firefox Plugin)
  • Glype (Depends on the configuration)
  • hide-me.org
  • Hola!VPN
  • Hola!VPN Chrome Extension
  • HTTP PROXY navigation in browser that support Web RTC
  • IBVPN Browser Addon
  • PHP Proxy
  • phx.piratebayproxy.co
  • psiphon3 (not leaking if using L2TP/IP)
  • SOCKS Proxy on browsers with Web RTC enabled
  • SumRando Web Proxy
  • TOR as PROXY on browsers with Web RTC enabled
  • Windscribe Addons

According to the post, Brave, Mozilla Firefox, Google Chrome, Google Chrome on Android, Samsung's browser, Opera, and Vivaldi all have WebRTC enabled by default, the report noted.

To stay anonymous while surfing the internet, Stagno recommended that users disable WebRTC, JavaScript, and Canvas Rendering. He also recommended setting a DNS fallback for each connection and adapter, and killing browser instances before and after each VPN connection.

Of course, users can also clear their internet browser cache, history and cookies, and drop outgoing connections to also improve their privacy online.

Also see

vpnlock.jpg
Image: iStockphoto/sasha85ru

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox