Paolo Stagno, an Italian security researcher using the online moniker VoidSec, has revealed a startling new discovery about virtual private networks or VPNs. As per the findings of Stagno, nearly 23% of VPN providers are still leaking IP addresses of users through the VPN flaw dubbed as WebRTC Leak. This means, if you are connected to a VPN, Tor or Socks proxy, it is a possibility that the device’s IP address is being leaked automatically.
VPN service leaking real IP addresses through WebRTC leak
WebRTC Leak was discovered in 2015. It is believed to be one of the most critical issues that have been identified so far as a user’s real home IP address gets exposed to websites. It is quite unfortunate that such a grave flaw has been ignored by browser makers for so long.
WebRTC (RTC = Real-Time Communications) emerged as pretty useful technology but its dark side only got revealed much later. It is a set of APIs used by all main web browsers. However, it believed to be a privacy nightmare now since it can be abused easily.
The basic purpose of using WebRTC is to improve the browser’s communicational capabilities, which is important since a variety of communication forms like voice or voice chat are used by websites/services. In all major browsers including Chrome and Firefox, WebRTC is enabled by default and websites or services utilize it without interacting with the user.
As far as privacy aspect is concerned, the issue with WebRTC is that browsers can leak the real IP address of the device to any website. Given that permission prompts are not displayed by WebRTC, it is possible that websites access the IP address without the knowledge or consent of the user.
There are only a handful of browsers that contain an option of blocking WebRTC IP leaks. For instance, Vivaldi browser provides an option of disabling the broadcasting of real IP address of the device under Settings>Privacy. Firefox users can disable WebRTC completely by accessing about:config through media.peerconnection.enabled and changing the setting to False.
A massive threat to privacy
It is indeed shocking that 23% of VPN service providers are still falling prey to this flaw but it is also important to note that most of the VPNs tested for this research were Free services. Nearly 16 VPN services were tested and identified to have WebRTC Leak flaw and out of these 16, only 3 to 4 can be labeled as well-known VPN services while the rest were either unknown services or web-browser based proxy add-ons.
PureVPN was the most well-known of all the 16 services that were tested. It is worth noting that PureVPN has now fixed the WebRTC flaw after the revelation by VoidSec. Another known service tested for the research was the infamous Hola VPN.
List of VPNs leaking real IP address of users
- BolehVPN (USA Only)
- ChillGlobal (Chrome and Firefox Plugin)
- Glype (Depends on the configuration)
- Hola!VPN Chrome Extension
- HTTP PROXY navigation in a browser that supports Web RTC
- IBVPN Browser Addon
- PHP Proxy
- psiphon3 (not leaking if using L2TP/IP)
- SOCKS Proxy on browsers with Web RTC enabled
- SumRando Web Proxy
- TOR as PROXY on browsers with Web RTC enabled
- Windscribe Add-ons
The full list of tested VPNs is available here.
How to check if your browser is impacted by WebRTC flaw
You can check if a website is benefitting from WebRTC flaw. If you use Chrome or any other Chromium-based browser like Vivaldi or Opera, simply open chrome://webrtc-internals/ in the address bar to view the list of all WebRTC connections. Firefox users should open about:webrtc in browser’s address bar to check the list of WebRTC connections under Sessions Statistics.
However, the presence of connections list does not mean that the IP address of the device has been leaked. If you configure your browser to block WebRTC leaks or if the VPN provider’s software blocks WebRTC IP leaks automatically, then your IP address is not exposed.
Tons of VPNs are saving user logs
For VPN users, privacy and anonymity is the main requirement, which probably they are not getting and this isn’t the first time that VPNs are identified to be fooling users. A recent study from Best VPN, a VPN comparison platform, revealed that out of 115 most famous VPN services on the web, 26 were found to be deceiving users with false claims.
Instead of their claim of not keeping tabs on users or identifying their location or other information, the services were identified to be doing the opposite. The 26 VPNs collected three key log files containing important personal data including IP address, location, connection timestamps and bandwidth data.
List of VPNs saving user logs
- HotSpot Shield
- VPN Unlimited
- Boleh VPN
- HideIP VPN
- VPN Gate
- Ace VPN
- Flow VPN
If the issues in VPNs are not fixed, the market value of these services will be negatively affected for sure. VPN market is an immensely lucrative one as research suggests the worldwide demand for VPN services will reach an all-time high by 2019 with $70 billion in comparison to $45 billion in 2014.
It is about time that VPN service providers take notice and make their services completely transparent and reliable.