Vulnerability in Chrome and Firefox Leaks VPN Users Actual Public IP Address

A recently discovered vulnerability in both the Chrome and Firefox browsers could cause some security headaches for frequent VPN users. Recent updates to both browsers have enabled WebRTC by default, an API that allows for browser-to-browser communication and is generally used in VoIP calling, video chat, and other online applications, without the need for installing any extensions or plug-ins. The vulnerability effects any VPN user with the latest versions of Firefox or Chrome, using either Windows or Mac OS X. As most know, VPN services are generally utilized to mask a persons public IP address when communicating over the Internet, effectively providing a level of anonymity when browsing websites and using other Internet based services. All outbound Internet traffic is sent over an encrypted tunnel to the VPN providers’ servers, and then routed to the Internet from there.

The vulnerability in WebRTC lies in the method used to establish browser-to-browser connections when one or both machines are behind a NAT. This NAT “traversal” method requires both browsers to execute a bit of JavaScript that connects to a STUN (Session Traversal Utilities for NAT) server on the public Internet, which then facilitates the browser-to-browser connection when NAT is in use. When WebRTC makes the connection to the STUN server, rather than sending only the public IP you are appearing to connect from using the VPN, WebRTC also sends over your actual public IP, as well as your LAN IP. This is a huge problem, considering most common users of VPN services use them specifically to mask their actual public IP. On top of the fact that your actual public IP is leaked, having your LAN IP leaked is also a major security risk. This gives potential attackers the private IP addressing scheme used locally, as well as a LAN IP of a device, which could make it easier to penetrate and infect the internal network. A theoretical attack would consist of an attacker setting up a malicious webpage with the JavaScript needed to initiate the connection to a STUN server, and also a malicious STUN server active on the public Internet. Once the attacker has this set up, it’s just a matter of getting targets to visit the malicious page.

As of right now, the only way to patch the vulnerability is to disable WebRTC entirely. This can be done by installing the WebRTC Block extension in Chrome, or installing a JavaScript blocking extension in Firefox and adjusting some configuration settings. You can check if you are vulnerable by navigating here and checking out the proof of concept (make sure you are connected to a VPN service).



Jarrod Manwaring