Privacy risk for all VPN users due to browser flaw

Browser Bug

VPN.ac, a Romanian based VPN provider of technical excellence recently sent out a news release warning users of a possible browser issue that can disclose your local IP.

The issue affects users who are making use of a VPN service and poses a potential privacy risk that users of VPN services automatically assume they are not susceptible to. VPN.ac explained that the issue affects users of Chrome, Firefox and Opera web browsers plus any other “Chromium-based browsers”.

A flaw in the WebRTC STUN protocol causes the issue and even though you are essentially anonymous behind a VPN, this flaw can reveal your local IP address. Unfortunately for unaware users, there is nothing that your VPN provider can do to protect you from this issue and it is up to yourself to install the fixes required to stop this becoming an issue on your local device.

If you use any of the above mentioned browsers, VPN.ac have put together a test page that you can visit while connected to your VPN service to check if your real IP is being leaked by the WebRTC STUN protocol flaw. Unfortunately all VPN protocols are susceptible due to the browser issue, so regardless of if you use PPTP, L2TP, OpenVPN or another protocol, you will still be at risk until your browser is protected.

Those who aren’t at risk will see no details at the VPN.ac test page, although if you see your local network IP or your actual local ISP IP then you are affected and need to apply a patch to protect your privacy and ensure that your VPN connection can’t be rendered useless in the privacy stakes.

Although VPN.ac issued a warning about the flaw some months ago and news site TorrentFreak have recently posted a news bulletin regarding the same issue, it seems that not all users are aware of the risk.

VPN.ac suggest the following fixes for the three major browsers.

Chrome Desktop

Install the WebRTC Block extension.
Chrome Mobile: open the URL chrome://flags/#disable-webrtc in Chrome. After enabling the option, a warning will be displayed in the lower area of the screen asking to relaunch the browser for the settings to take effect.

Firefox Desktop

Open the URL about:config and search for media.peerconnection.enabled. Double click on it to set it to False. A browser restart is not required. NoScript also protects against this weakness.
Firefox Mobile: same as above

Opera Desktop

Install this extension that allows to use Google extensions. Install the WebRTC Block Chrome extension in Opera. You will be prompted that it comes from an untrusted source and you will need to enable it from the extensions page (URL opera:extensions).

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Christopher Seward

Author: Christopher Seward

After 25 years of using the internet, Christopher launched one of the very first VPN comparison websites in 2013. An expert in the field his reviews, testing and knowledge have helped thousands of users get the correct VPN for their needs.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.

ExpressVPN deal