One Leak Will Sink A Ship: WebRTC IP Address Leaks
This is an incremental analysis of a known privacy threat for VPN users, highlighting specific risks and mitigation strategies.
The study investigated WebRTC API vulnerabilities that leak client IP addresses to websites even when using VPNs, finding that most tested browsers and VPNs expose at least one IP address, with the extent varying by browser and VPN choice.
The introduction of the WebRTC API to modern browsers has brought about a new threat to user privacy. This API causes a range of client IP addresses to become available to a visited website via JavaScript even if a VPN is in use. This a potentially serious problem for users utilizing VPN services for anonymity. In order to better understand the magnitude of this issue, we tested widely used browsers and VPN services to discover which client IP addresses can be revealed and in what circumstances. In most cases, at least one of the client addresses is leaked. The number and type of leaked IP addresses are affected by the choices of browser and VPN service, meaning that privacy-sensitive users should choose their browser and their VPN provider with care. We conclude by proposing countermeasures which can be used to help mitigate this issue.