WebRTC vulnerabilities are notorious in the VPN industry. They’re no small matter, either – we use VPN services to hide our real identity from a variety of actors, and by “real identity” we generally mean our IP address. Well, it may be called a “WebRTC leak,” but WebRTC vulnerabilities actually leak our IP address. 

Those who have used a WebRTC leak test will know that it identifies two classes of IP addresses: public IP and local IP. Public IP addresses form part of your identity on the internet. When you’re using a VPN, the sites detect the VPN’s public IP addresses instead of yours. However, the WebRTC browser vulnerability makes it so that the website you’re visiting is able to see your real IP. If you run a WebRTC leak test only to see your real IP address, then you may be experiencing an IP address leak.

What is WebRTC and what are WebRTC vulnerabilities?

WebRTC (Web Real-Time Communication) generally refers to an API definition which allows voice, video chats, and P2P file sharing within a browser. It is a collection of integrated technologies that facilitates communication between web browsers directly, without the need for an intermediate server. WebRTC comes with a number of benefits, such as faster speeds not to mention less lag for activities such as file transferring, video chats, and live streaming. However, when two devices are communicating to each other directly, they need each other’s IP address. The issue is WebRTC can sometimes go around the VPN tunnel, basically allowing a third party to detect your real IP address and use it to identify you. This is referred to as a WebRTC leak.

Does a WebRTC leak put your privacy at risk?

At the core of WebRTC vulnerabilities is the fact that it utilizes more integrated and advanced protocols that are far better at uncovering your real IP address. The Interactive Connectivity Establishment (ICE) protocol uses the following ways to discover the real IP address.

STUN/TURN servers

The STUN/TURN servers allow web browsers to ask questions such as what are my public IPs. What’s more, the STUN/TURN servers allow two devices to communicate even if they’re behind NAT firewalls.

The Host Candidate Discovery

Of course, most if not all devices accessing the internet have multiple IP addresses associated with the hardware. Despite firewalls hiding them from websites and STUN/TURN, the ICE protocol allows the browsers to simply read them off your device. IPv4 is commonly associated with devices and does not compromise privacy. However, IPv6 addresses put your device at a high privacy risk. IPv4 and IPv6 are quite different. The IPv6 acts as the public IP that is unique to you. The ICE easily discovers the IPv6 associated with your device and this could compromise your privacy.

Unfortunately, a malicious website can utilize a STUN/TURN server or even Host Candidate Discovery to trick your browser into unveiling your real IP address to identify you without your consent.

Steps to carry out WebRTC leak test

WebRTC leak test

In case you’re using a Virtual Private Network, and the leak tool shows there is a leak, you can perform some of the following leak tests to ascertain:

  1. Disconnect from your VPN and open an IP checker
  2. Make note of any public IP you see there
  3. Close the IP checker
  4. Connect to your VPN and reopen the IP address checker

Should you note any public IP address from the previous IP check, you definitely have a privacy leak. However, if you’re using a VPN and the tool states that there is no leak, you’re good to go.

How to prevent WebRTC browser vulnerabilities

Perhaps at this point, you’re wondering how to stop or prevent WebRTC leaks. You might want to look out for VPNs that are able to protect you from WebRTC leaks on their own. VPNs such as ExpressVPN or NordVPN go the extra mile to ensure that WebRTC browser vulnerabilities are not an issue for their user base. Of course, browsers at times cache IP addresses in memory; such incidences may compromise your privacy. What’s more, you can manually disable the WebRTC in your browser.

How to manually disable WebRTC in Firefox

Fortunately for users, Firefox WebRTC vulnerabilities are easy to plug because the browser has an integrated way to disable the functionality.

  1. In the address bar, type “about:config”firefox about config address
  2. Click on the “I accept the risk!” button that appearsfirefox understand the risk
  3. A search bar will appear – type “media.peerconnection.enabled”
  4. Double-click to change the value to “false.” This renders the Firefox WebRTC functionality disabled.firefox disable media peerconnection

The procedure above can effectively work to prevent the WebRTC leak on Firefox for both the desktop and mobile versions of Firefox

How to neutralize the WebRTC Chrome (Desktop) issue

Unlike with some other browsers (such as the aforementioned Firefox), manually disabling the Chrome WebRTC functionality is not very straightforward.  Therefore, if you’re using the Chrome browser, you might want to use a WebRTC Chrome extension to plug the hole. Here are a few that will do the trick:

The uBlock Origin works as an all-purpose blocker for ads, trackers, and has an option to block Chrome WebRTC. On the other hand, the WebRTC Network Limiter is an add-on developed by Google to specifically stop the IP leakage through WebRTC.

How to block Chrome WebRTC on mobile

The same steps work for Firefox on Android as well:

  1. Turn on Chrome and enter “chrome://flags/#disable-webrtc” into the address bar.
  2. When you scroll down, you will see the option “WebRTC STUN origin header” – disable it.

This will fix your WebRTC Chrome woes on mobile.

How to block WebRTC on Opera

There are two ways you can go about plugging the WebRTC Opera leak. The first is to follow these steps:

  1. Go to Settingsopera advanced settings
  2. Click Advanced->Privacy & Security and scroll down to WebRTC
  3. Choose “Disable non-proxied UDPopera webrtc settings

Note that this doesn’t disable Opera WebRTC altogether, but it will prevent WebRTC leaking your real IP address.

How to prevent the WebRTC leak on Brave

The Brave browser has had a long-standing WebRTC vulnerability, which was fixed only in 2018. Currently, users can plug the Brave WebRTC leak issue following these steps:

  1. Go to Settings->Advanced->Privacy & Security->WebRTC
  2. Choose “Disable non-proxied UDP

These are the same steps you would follow as an Opera user. Again, this does not disable Brave WebRTC altogether – it only fixes the leak.

Which browsers are most vulnerable to WebRTC leaks?

In case you’re wondering which browsers are more vulnerable when it comes to WebRTC leakage, it leaks in almost any browser. Users of Firefox, Chrome, Opera, Safari, and Microsoft Edge; just to mention a few are more vulnerable to webRTC leaks; probably because they have WebRTC enabled by default. When it comes to mobile web browser support, there’s less concern compared to the desktop browser support. However, you can be sure of WebRTC leak protection on the mobile browsers in the near future. While you’re free from it in one browser, it’s not a guarantee that you’re protected in another browser in the same desktop. Hence, it is important to consider taking preventive measures in each browser.

Disabling the WebRTC does not affect the normal browsing experience. Remember: most websites don’t depend on it. Hence, don’t panic about disabling the feature. However, the latest browsers might put off some functionality on some websites. In such cases, you can opt to use firewall rules in order to enforce that traffic may only be sent through an encrypted VPN.