Huge Security Flaw Leaks Users’ Real IP-Addresses

**mmmmm** · 02.04.15, 00:39

Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC. The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only. Luckily the security hole is relatively easy to fix.

The Snowden revelations have made it clear that online privacy is certainly not a given.

Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites.

As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on.

Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.
Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

“During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.

While the fixes above are all reported to work, the leak is a reminder that anonymity should never be taken for granted.

I don't have VPN and They can detect even my satellite card IP.

https://torrentfreak.com/huge-securi...resses-150130/

**Instab** · 02.04.15, 02:00

WebRTC was introduced with firefox 22 so if you're using an older version you're good automatically

**anon** · 02.04.15, 03:44

I'm glad I always disable toy features like this one when setting up my browsers.

**mmmmm** · 02.04.15, 16:57

Originally Posted by anon

I'm glad I always disable toy features like this one when setting up my browsers.

Do you means there is an option to disabled it while setting up (point me to it) or after set up ?

**anon** · 02.04.15, 20:49

Originally Posted by mmmmm

Do you means there is an option to disabled it while setting up (point me to it) or after set up ?

I think by "setting up" you're referring to the installation process, so I guess it's after setup.

My Opera 12.17 and IE 11 don't support WebRTC at all. Firefox already had it disabled. I don't have the security extensions TorrentFreak mentions installed on ~~Chrome~~ Iron 33, but for some reason, the IP test still can't find any addresses.

**lil-fella** · 03.04.15, 12:13

has anyone ever tried using this firefox extension plugin.. IPFlood

What is it ?

IPFuck is a firefox addon created to simulate the use of a proxy. With this addon installed and enabled, and if a lot of us use it, there will no longer be any mean to know who is using a real IP, who isn't and who was charged doing something he didn't... Basicaly : we all become anonymous !

This addon is a "proof of concept" to show anyone who isn't already aware that IP address has become obsolete and that no one should use an IP address as an evidence anymore. This plugin is just one of many ways to spoof an IP address and these spoofing could lead to outrageous accusation of innocents.
How does it work ?

You can imagine that if I could just overwrite any existing information about your IP address I would have done so (or somebody else would have a while back ago)...

But it's actually a little more tricky : when sending a request to a server you will provide several information about your IP address : three of them come from the Application Layer and the last one comes from the Transport Layer. This last one I can't modify : you wouldn't get the answer to your request if that was done. But the three others can be overwritten without any consequence to your browsing...

These three headers were created to provide information on the real IP of a person surfing through a proxy server. So when you enable IPFuck, the websites you are visiting will believe that your real IP is a proxy server and (if the website was done correctly) focus on the false IP you are sending...

A lot of websites try and figure out who is hidding behind a proxy server. And if you don't believe me (I won't mind), just check out this google search request : get real ip address php. Most of the snipplets given here will check HTTP headers (the one we overwrite) before the Transport Layer information ('REMOTE_ADDR').
What if ?

What if this addon spreads and everyone changes his website code to only check for the Transport Layer information ? Well then, they will lose any information on anyone hidding behind a proxy...

There is just no way to know anymore who's who and if the IP you're detecting as connected to your website is a real one or a spoofed / behind a proxy one !

IPFlood ! (former IPFuck)

**Instab** · 03.04.15, 14:51

Originally Posted by lil-fella

has anyone ever tried using this firefox extension plugin.. IPFlood

this one just adds 3 headers:

Code:

HTTP_X_FORWARDED_FOR
HTTP_CLIENT_IP
HTTP_VIA

it does neither change nor hide your actual ip but counts on confusing the sites that rather look for these headers instead of the regular "REMOTE_ADDR"

**lil-fella** · 03.04.15, 16:19

also using this program.. can hide your ip.. you can hide all sorts of stuff when go though this program..

Hide your real IP address and surf anonymously with Hide ALL IP

Your IP address can link your internet activities directly to you, it can easy leak you by this IP address, Hide ALL IP protects your online identity by change your IP address to our private server's IP and routes all your internet traffic through our encrypted internet servers so that all remote servers only get a fake IP address, you are very safely. Unlike your ISP, Hide ALL IP does not track and does not record any where you go

i like to run my p2p torrent program though this..

HIDE ALL IP

http://hideallip.com/home.html

Moderator Message
cracks and similar are not allowed here
//Staff

edit
ok no problem.. they can buy it instead if need be..
its just nice to a have a full version without paying for it huh

**anon** · 04.04.15, 05:10

These three headers were created to provide information on the real IP of a person surfing through a proxy server. So when you enable IPFuck, the websites you are visiting will believe that your real IP is a proxy server and (if the website was done correctly) focus on the false IP you are sending...

This is a nice idea, and doesn't require much resources to implement. Unfortunately, most IP logging ignores these headers, for the very reason they can be forged.

The best way to simulate a proxy would be behavioral - using an addon that does random searches and/or randomly surfs the Internet. Think about it: if one IP searches Google for "cake is awesome", and then (with different cookies) for "reasons to hate cake", they're very likely not the same person. So that address "must" be either a proxy, or a NAT router used by different people to share their Internet access.

**system28** · 04.04.15, 18:39

As far as I know, there is no solution for chrome. Correct?

**lil-fella** · 04.04.15, 19:15

with the HIDE ALL IP program you can hide any thing you want.. including chrome browser..
just drag and drop the shortcut into the HIDE ALL IP program and start it from there.. then all traffic from the new shortcut will be hidden by fake ip..

Click image for larger version.

Name: home.h2.jpg
Views: 21
Size: 29.4 KB
ID: 15313

**Instab** · 04.04.15, 20:48

Originally Posted by system28

As far as I know, there is no solution for chrome. Correct?

there is: dump it

unless you like sending all your data to google

**anon** · 04.04.15, 21:18

Originally Posted by lil-fella

just drag and drop the shortcut into the HIDE ALL IP program and start it from there.. then all traffic from the new shortcut will be hidden by fake ip..

If you're okay with using a semi-public proxy with all the implications of that, both good (disabling IP tracking by sharing an address with many other people, accessing country-restricted content) and bad (who runs those proxies? How can you know they're not monitored? Are they fast enough? Are they banned from any site you visit?), that's a solution. But does it protect you against this vulnerability?

Originally Posted by Instab

there is: dump it

unless you like sending all your data to google

Haha, I remember the "audit" where you turned all the call-home features off, and would still find connections to random Google servers.

Personally, I use Iron, and have hex-edited all the strange requests I could find out of the binaries. It seems like a good solution for Windows users.

**mmmmm** · 04.04.15, 22:20

anon
I think you should explain in details those ways at an other topic.

**Instab** · 04.04.15, 22:56

Originally Posted by anon

Personally, I use Iron, and have hex-edited all the strange requests I could find out of the binaries. It seems like a good solution for Windows users.

mozilla based browser. there's no serious alternative. options and available addons of all others are a joke in comparison.