Italian security researcher Paolo Stagno who goes by the online moniker VoidSec has discovered that around 23% of VPN providers are still leaking user’s IP Addresses via the WebRTC flaw.
The VPN flaw simply known as a WebRTC Leak was discovered way back in 2015 and was one of the more serious issues of recent years.
Users when connected to a VPN service could have their real home IP Address leaked to websites by the WebRTC issue. An issue that was well reported has now reared its head again with a new study carried out by VoidSec.
WebRTC the never-ending pain
When the WebRTC IP leak issue was first discovered most reputable VPN providers did the right thing and introduced security measures into their services and clients to stop such occurrences.
However, stopping WebRTC wasn’t just an issue for providers, it was something that users were warned against and advised to either manually disable or install plugins to turn off the WebRTC functionality of their browsers.
Fast forward 3 years and it appears the WebRTC issue is still causing issues for the security of VPN users as security researcher VoidSec has recently published.
In his tests, VoidSec discovered that a massive 16 of 70 providers leaked a user’s real IP Address via the WebRTC issue. That’s nearly a quarter of all providers tested, or more accurately, 23%!
Who’s been a naughty boy then
While it’s shocking to discover that 23% of VPN providers tested leaked a user’s real IP Address it’s important to note that most of the research was carried out on “Free” VPN services.
Out of the 16 providers found to have WebRTC leaks, only around 3 or 4 would be considered traditional or even well-known VPN services. The rest were made up of a mix of web-browser based proxy add-ons or unknown service providers.
Probably the most well-known and most worrying discovery was that PureVPN was featured on the list. A provider who has recently been wrapped over the knuckles for handing over identifying user information in a criminal case which threw their “no-log” policy into question.
In an update to the research, it was noted that PureVPN has since fixed the WebRTC issue.
Hola VPN another provider who themselves in the past have been in the news for all the wrong reasons also found their way onto the list of providers you’re likely to now want to give a miss. You can find out more about Hola’s shady past at Adios-Hola.
Research silver lining
Due to time and cost restrains it was impossible for VoidSec to test a large portion of commercial or paid-for VPN services.
In our own efforts to aid the research we tested 11 of the most well-known paid-for VPN services on a Windows system running Google Chrome and found that none leaked our home IP Address via WebRTC.
However, millage in such tests may vary and while we personally found no leaks with some providers, others have reported differences when using different devices or set-ups using the same provider.
If you’re interested to test your own VPN service for WebRTC leaks then VoidSec has started a WebRTC Leak Test Page or you can use a service such as IPX.ac which tests for WebRTC and other leaks.
To see the continually updated list of tested and to-be-tested providers check out Voidsec’s Google Spreadsheet.
What can you do to stop WebRTC Leaks
To stop WebRTC leaks you should ensure you’re using one of the providers confirmed as not leaking on VoidSec’s list.
Apart from relying solely on your VPN service to protect you from every possible leak, it’s important to either disable WebRTC manually or use a recommended browser add-on to do this for you.
VoidSec also recommends using add-ons such as NoScript, disabling canvas rendering, killing web browser instances before and after using a VPN and dropping all outgoing connections apart from the VPN. For further safety suggestions check out his original research page.