Google Fixes STUN Flaw that Reveals VPN Users’ Private IPs

by Tracy Knauer •

More than six months after news broke about a flaw in Google Chrome and Mozilla Firefox that lets websites view visitors’ local IP addresses even if they are logged into a VPN, an official fix has made its way into Chrome.

You can check if you are revealing your IP address here.

The vulnerability centered on a feature that Chrome and Firefox developers implemented in the Windows versions of the browsers to allow Web pages to send requests to a STUN server via WebRTC Javascript code. The feature has benign uses in helping to route VoIP calls, instant messages and the like.

However, a researcher discovered in January 2015 that the feature could also be exploited to reveal both the local and the public IP addresses of visitors to a website, including those who are using a VPN service to increase their privacy. This demo shows the exploit in action.

Revealing public IP addresses is not a big deal, since those are generally obvious to any site that users visit. Public IPs also often don’t mean much because hundreds or thousands of computers could be running behind a single public IP.

In contrast, private IP addresses – which normally are logged only by a user’s own computer, plus any gateways or routers on the local or VPN network that he or she accesses – can pinpoint a particular user’s location on the network. Worse, by giving third parties access to private IPs, this hack allows anyone to track a specific user’s activities, even if his or her computer is running behind a VPN.

The fact that the exploit runs in such a way that standard ad-blocking software and similar tools cannot prevent it makes it that much more threatening to privacy and security.

A free extension for Chrome that could block the hack became available in January. For their part, Firefox users can disable the feature on which the flaw is based by making minor changes to the browser’s configuration. In both cases, however, plugging the hole requires proactive changes on the part of users.

Now, Google has finally rolled out an update to Chrome itself that fixes the problem. That’s a big step forward, since it means everyone is protected, not just those who enhance their own privacy.

Firefox users have two options. You can install the Disable WebRTC addon or disable WebRTC directly by opening a tab and going to “about:config” in the address bar, and then find and set the “media.peerconnection.enabled” setting to false.

Leave a Reply

Your email address will not be published.