Cyber security researcher Paolo Stagno (aka VoidSec) has tested seventy VPN providers and found 16 of them leaks users’ IPs via WebRTC (23%)
- You can check if your VPN leaks visiting: http://ip.voidsec.com
- Here you can find the complete list of the VPN providers that I’ve tested: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
- Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different paid VPN services :P)
Some time ago, during a small event in my city, I’ve presented a small research on “decloaking” the true IP of a website visitor (ab)using the WebRTC technology.
What is WebRTC?
WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.
Is a component allowing calls to use the STUN and ICE mechanisms to establish connections across various types of networks? The STUN server sends a pingback that contains the IP address and port of the client
These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.).
WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.
VPN and WebRTC
This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and in the past (TOR users).
Browsers that have WebRTC enabled by default:
- Mozilla Firefox
- Google Chrome
- Google Chrome on Android
- Internet (Samsung Browser)
23% of the tested VPNs and Proxies services disclosed the real IP address of the visitors making the users traceable.
The following providers leaks users’ IP:
- BolehVPN (USA Only)
- ChillGlobal (Chrome and Firefox Plugin)
- Glype (Depends on the configuration)
- Hola!VPN Chrome Extension
- HTTP PROXY navigation in browser that support Web RTC
- IBVPN Browser Addon
- PHP Proxy
- psiphon3 (not leaking if using L2TP/IP)
- SOCKS Proxy on browsers with Web RTC enabled
- SumRando Web Proxy
- TOR as PROXY on browsers with Web RTC enabled
- Windscribe Add-ons
You can find the complete spreadsheet of tested VPN providers here: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different paid VPN services :P)
Stay anonymous while surfing:
Some tips to follow in order to protect your IP during the internet navigation:
- Disable WebRTC
- Disable Canvas Rendering (Web API)
- Always set a DNS fallback for every connection/adapter
- Always kill all your browsers instances before and after a VPN connection
- Clear browser cache, history, and cookies
You can check if your VPN leaks through this POC: http://ip.voidsec.com
I’ve updated Daniel Roesler code in order to make it works again and you can find it on Github.
About the author: Paolo Stagno
Paolo Stagno (aka VoidSec) is a Cyber Security Researcher and a Penetration Tester focused on the Offensive Security field. He is specialized in Security Research, Penetration Tests, Vulnerability Assessment, Network and Application Security. He is working as an external consultant for a wide range of clients across top tier international banks, major companies and industries.
(Security Affairs – WebRTC, VPN)