Last updated: December 31, 2022
In recent days, Daniel Roesler has discovered a security breach which affects WebRTC and which allows, thanks to a little cleverness and JavaScript, to retrieve the local and public IP address of the Internet user. If you use a proxy or you use a VPN, so it is possible to obtain your IP address.
WebRTC is a set of APIs for managing audio/video conversations directly from a browser, without any plug-ins to install. Chrome and Firefox support it natively. By exploiting the implementation of the WebRTC protocol under Windows (other operating systems would not be affected), it is possible to discover the real IP address of the Internet user hiding behind a proxy or VPN.
To test this flaw, just follow the steps below:
- Meeting on whatismyip and write down your public IP address
- Activate your proxy or VPN and go to this web page which exploits the WebRTC weakness.
- If your IP address is identical to the one returned on the page which exploits the WebRTC bug, that means I can also register it on my side to identify you
To protect against this flaw and while waiting for a fix in Firefox and Chrome, an extension has been put online for Chrome, which allows WebRTC to be deactivated and activated only if necessary.
In Firefox, you can also install this extension which disables WebRTC or go to the about:config panel, and reverse the media.peerconnection.enabled option, to set it to “false”:
