Announcement

Collapse
No announcement yet.

Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

    Source: TorrentFreak Original Author: Ernesto Post Date: January 30, 2015 Link in TorrentFreak: Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

    VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC. The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only. Luckily the security hole is relatively easy to fix.


    The Snowden revelations have made it clear that online privacy is certainly not a given.

    Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites.

    As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on.

    Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature.

    With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

    The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines.

    A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

    IP-address leak


    The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

    Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.

    Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.


    TF asked various VPN providers to share their thoughts and tips on the vulnerability. Private Internet Access told us that the are currently investigating the issue to see what they can do on their end to address it.

    TorGuard informed us that they issued a warning in a blog post along with instructions on how to stop the browser leak. Ben Van Der Pelt, TorGuard’s CEO, further informed us that tunneling the VPN through a router is another fix.

    “Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

    “During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.

    While the fixes above are all reported to work, the leak is a reminder that anonymity should never be taken for granted.

    As is often the case with these type of vulnerabilities, VPN and proxy users should regularly check if their connection is secure. This also includes testing against DNS leaks and proxy vulnerabilities.
    sigpic

    [ἓν οἶδα ὅτι] οὐδὲν οἶδα - Socrates

  • #2
    Not good, defeats the whole purpose of a VPN, glad I don't use one.
    sigpic

    Comment


    • #3
      which fix is best?

      Originally posted by brightsm View Post
      Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.

      Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.
      Source: TorrentFreak Original Author: Ernesto Post Date: January 30, 2015 Link in TorrentFreak: Huge Security Flaw Leaks VPN Users’ Real IP-Addresses
      I use firefox and chrome all the time on my PC! I guess it's time to switch to my old Netscape Navigator (j/k). But seriously, I would still like to use a software VPN from time to time. I don't know anything about the fixes mentioned here. Does anyone know if one of them works better than the other or if the "media.peerconnection.enabled" fix will turn of commonly used features?

      Comment


      • #4
        I feel like nothing is ever secure any more.

        - Nipples

        Comment


        • #5
          the only security is knowing you're insecure...

          :(

          Comment


          • #6
            And there was me thinking that it was IE that had all the security flaws

            EFC

            Comment


            • #7
              I don't hear much about IE one way or the other anymore. Maybe they've actually stepped up their security.

              But probably not.

              - Nipples

              Comment


              • #8
                Originally posted by nipples View Post
                I don't hear much about IE one way or the other anymore. Maybe they've actually stepped up their security.

                But probably not.

                - Nipples
                IE is like the elephant in the room.. everyone knows its there but talking about it makes it more real. lol. the way i see all this is for every step up in security theres always a step up in breaking it down, all you can do is try your best to keep on top. i am far too much of a dimwit to even try understand any of these backdoors. i just trust other people who do share how to try make me safe again :)

                Comment


                • #9
                  Definitely not good news. As TheWickerMan said earlier, it definitely defeats the purpose of a VPN.

                  To think that I almost invested in one. Seems like a seedbox is the way to go.

                  Comment

                  Working...
                  X