A new security flaw can reveal your real
IP address to prying eyes, even if you're using a VPN, and it's easy to
exploit. Here's how it works, and what you can do about it. A recently
discovered security flaw allows remote sites to take advantage of WebRTC
(Web Real Time Communication, a feature built in to most browsers.
A few lines of code is all it takes to remove the location protection you get from using a VPN, and figure out where you're actually located and who your internet service provider really is (who can then tie your address back to who you are specifically.) While the vulnerability is primarily browser-based right now, any application that can render web pages (and uses WebRTC) is affected, meaning anyone who wants to can see past your VPN to where you really are and who you really are. Advertisers, data brokers, and governments can use it to peek through your VPN to find out where your connection is really coming from.
How Can I Check If My VPN Is Affected?
Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
To see if your VPN is affected:
1) Visit: http://whatismyipaddress.com/
and Note down your actual ISP-provided IP address.
2.) Log in to your VPN, choose an exit server in another country (or use whichever exit server you prefer) and verify you're connected.
3.) Go back to What Is My IP Address and check your IP address again. You should see a new address, one that corresponds with your VPN and the country you selected.
4.) Visit Roseler's WebRTC test page
If both tools show your VPN's IP address, then you're in the clear. However, if What Is My IP Address shows your VPN and the WebRTC test shows your normal IP address, then your browser is leaking your ISP-provided address to the world.
The Easy Way: Disable WebRTC In Your Browser.
Chrome, Firefox, and Opera (and browsers based on them) generally have WebRTC enabled by default. Safari and Internet Explorer don't, and thus aren't affected (unless you've specifically enabled WebRTC.) Either way, if the test above worked in your browser, you're affected. You can always switch to a browser that doesn't have WebRTC enabled, but since most of us like the browsers we use, here's what to do:
Chrome and Opera:
Install RTC Block or ScriptSafe extension from the Chrome Web Store. It's overkill, but it'll disable WebRTC in your browser.
https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm?hl=en
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en
Firefox: You have two options. You can install the Disable WebRTC addon from Mozilla Add-ons
https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/
or disable WebRTC directly by opening a tab and going to
in the address bar. Find and set the
A few lines of code is all it takes to remove the location protection you get from using a VPN, and figure out where you're actually located and who your internet service provider really is (who can then tie your address back to who you are specifically.) While the vulnerability is primarily browser-based right now, any application that can render web pages (and uses WebRTC) is affected, meaning anyone who wants to can see past your VPN to where you really are and who you really are. Advertisers, data brokers, and governments can use it to peek through your VPN to find out where your connection is really coming from.
How Can I Check If My VPN Is Affected?
Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
To see if your VPN is affected:
1) Visit: http://whatismyipaddress.com/
and Note down your actual ISP-provided IP address.
2.) Log in to your VPN, choose an exit server in another country (or use whichever exit server you prefer) and verify you're connected.
3.) Go back to What Is My IP Address and check your IP address again. You should see a new address, one that corresponds with your VPN and the country you selected.
4.) Visit Roseler's WebRTC test page
If both tools show your VPN's IP address, then you're in the clear. However, if What Is My IP Address shows your VPN and the WebRTC test shows your normal IP address, then your browser is leaking your ISP-provided address to the world.
The Easy Way: Disable WebRTC In Your Browser.
Chrome, Firefox, and Opera (and browsers based on them) generally have WebRTC enabled by default. Safari and Internet Explorer don't, and thus aren't affected (unless you've specifically enabled WebRTC.) Either way, if the test above worked in your browser, you're affected. You can always switch to a browser that doesn't have WebRTC enabled, but since most of us like the browsers we use, here's what to do:
Chrome and Opera:
Install RTC Block or ScriptSafe extension from the Chrome Web Store. It's overkill, but it'll disable WebRTC in your browser.
https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm?hl=en
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en
Firefox: You have two options. You can install the Disable WebRTC addon from Mozilla Add-ons
https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/
or disable WebRTC directly by opening a tab and going to
PHP Code:
about:config
PHP Code:
media.peerconnection.enabled
setting to false.
To be sure WebRTC is disabled go to:
And you should see something like this, if your good.
Otherwise you will see this:
I know a lot of you use VPN software and
probably don't know about this so I hope it was helpful. Got to stay
antonymous if you are hacking websites.
Source: mobi13_XT
I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck.
ReplyDeletesite vulnerability scanner online
Thank You Aeldra (:
DeleteYes, Cyber-crime does increase during the online shopping season but you can easily circumvent this issue by subscribing to a VPN plan. A VPN will provide you with complete online anonymity and will strengthen the integrity of your digital security. Check out FastestVPN as they are offering unbelievable Black Friday VPN deal, you can actually get a discount of up to 95%!
ReplyDelete