WebRTC (WEB Real-Time Communication) allows real-time voice or video conversation in the browser without adding additional browser extensions. Including Chrome, Firefox, Opera and Safari, and it is also supported on the mobile terminal. Although this feature may be useful to some users, it poses a threat to anyone using VPN. The terrible thing about webrtc vulnerability is that even if you use VPN proxy to surf the Internet, you will still expose your real IP address.

WebRTC vulnerability principle

The vulnerability of webrtc was discovered in early 2015. Through this vulnerability, the website administrator can easily see the user's real IP address through webrtc, even if the user uses VPN to hide his IP. The vulnerability affects browsers that support webrtc, including Chrome and Firefox browsers.

WebRTC uses STUN (Session Traversal Utilities for NAT), turn, ice and other protocol stacks to penetrate the firewall or NAT in the VoIP network. When the user sends a request to the server, the stun server will return the IP address and LAN address of the system used by the user.

The returned request can be obtained through JavaScript, but this process is outside the normal XML/HTTP request process, so it can't be seen in the developer console. This means that the only requirement of this vulnerability is that the browser should support WebRTC and JavaScript.

Check whether your browser exposes IP

① Connect VPN proxy

② Visit https://ip.voidsec.com

If you see the public IP address in the WebRTC section, you have exposed your identity information.

WebRTC vulnerability prevention measures

For users, if they do not want to disclose their real IP address, they can prevent the disclosure of real IP address by disabling WebRTC.

Chrome installation extension disabled

Install the [WebRTC Leak Prevent] extension

Set the [IP handling policy] option to [disable non-proxied UDP (force proxy)]

Click [Apply Settings] to apply

Firefox modify configuration disabled

Enter "about:config" in the browser address bar and press enter

Search the "media.peerconnection.enabled" field

Double click the "media.peerconnection.enabled" preference to change its value to "false"

More Privacy Detection Website

Detect IP leaks: https://ipleak.net

Detect WebRTC leaks: https://diafygi.github.io/webrtc-ips/

Detect WebRTC leaks: https://www.expressvpn.com/webrtc-leak-test

Detect WebRTC leaks: https://www.privacytools.io/webrtc.html

Equipment information detection: https://do-know.com/privacy-test.html

WebRTC vulnerability detection: https://www.perfect-privacy.com/webrtc-leaktest/

Browser leak detection: https://browserleaks.com/webrtc