Last updated: December 31, 2022
In recent days, Daniel Roesler has discovered a security breach which affects WebRTC and which allows, thanks to a little trick and JavaScript, to retrieve the local and public IP address of the Internet user. If you use a proxy or you use a VPN, so it is possible to get your IP address.
WebRTC is a set of APIs for managing audio / video conversations directly from a browser, without plug-ins to install. Chrome and Firefox natively support it. By exploiting the implementation of the WebRTC protocol under Windows (other operating systems would not be affected), it is possible to discover the real IP address of the Internet user who is hiding behind a proxy or a VPN.
To test this flaw, just follow the steps below:
- Meeting on whatismyip and write down your public IP address
- Activate your proxy or VPN and go to this web page which exploits the WebRTC weakness.
- If your IP address is identical to the one returned on the page which exploits the WebRTC bug, that means I can also register it on my side to identify you
To protect against this flaw and while waiting for a fix in Firefox and Chrome, an extension has been put online for Chrome, which allows you to disable WebRTC and enable it only when needed.
In Firefox, you can also install this extension which disables WebRTC or go to the about: config panel, and invert the media.peerconnection.enabled option, to set it to "false":
