Home » Blog » VPNs Infected with WebRTC Bug Leaking Users’ IP Addresses

VPNs Infected with WebRTC Bug Leaking Users’ IP Addresses

Some VPNs or virtual private network service providers have a strict “no log” policy. This means they are not keeping logs of your online activities, sessions, timestamps, and IP addresses, to name a few. However, some VPN service providers were reported to have leaked some of its users’ important information which includes their IP address or even their real location.

It was found out that the bug was WebRTC. This WebRTC has affected over 20% of VPNs in the market today. This started since January 2015. And surprisingly, most VPN service providers are not aware of this bug.

A security researcher hiding under the name of VoidSec, was the one who discovered the bug. He found a WebRTC IP leak when he audited 83 VPN apps. According to him, there were 17 VPN users that were affected. The VPN they are using are leaking their users IP addresses as they are surfing the internet via a browser.  

He created a report and put it in a Google Docs spreadsheet. However, VoidSec was not able to complete his audit since he does not have the financial capacity to put every commercial VPN in a test.

VPNs Infected with WebRTC Bug

VPNs Infected with WebRTC Bug

That is why he is encouraging users to test their commercial VPNs for potential bug and asking them to send the result to him. He even created a demo web page, that users can use to test their VPNs. They just need to use a browser while their VPN is turned on in accessing this demo page. The code on this demo page is also accessible and published on GitHub. He is advising everyone to use the code if they want to conduct a test on their local computer. This is to avoid exposing their IP address on a public server.

This WebRTC bug was first discovered in January of 2015 by another security researcher with the name of Daniel Roesler. This is where VoidSec based its code in identifying bugs on the VPNs that he audited.

The WebRTC found in 2015 take public IP address of the user. Aside from that, if the user is behind a VPN, a NAT-network or proxy, it can take the users private IP address.

The problem with this is that attackers or hackers have already disclosed this information to all WebRTC connected servers. Because of this bug, advertisers and law enforcement agencies were able to acquire users IP addresses and real locations.

Surprisingly, many browsers have been using WebRTC since then. They have been integrating WebRTC on their code, features, extensions and special add-ons. With the belief that it will prevent IP leak, while it disables some of WebRTC’s features that include real-time communications.

It was found out that WebRTC is still enabled by default in some major browsers. The browsers that are not affected are Tor Browser, Edge, and Internet Explorer. Some of the VPN providers that VoidSec have audited and found some bugs that provide IP leaks include BolehVPN, ChillGlobal, Glype, hide-me.org, Hola!VPN, PureVPN, SmartHide Proxy.

These are VPNs that has WebRTC enabled browsers – SOCKS Proxy, SumRando Web Proxy, and  TOR as PROXY. According to the study, there are still 80 commercial VPNs that are left untested. You can always refer to the Google Spreadsheet’s of VoidSec for reference.

There are so many commercial VPNs on the market today. Some are free and some are available via flexible monthly or annual subscription. Most of the trusted VPN service providers we review have a strict policy when it comes to logging their users’ activity and information. Logging user activity and the information is a major threat to online privacy. People and organization can use this user information to track their location and other sensitive data to inflict harm or intercept the users’ online activities.

Choosing the right VPN

Some of the considerations that users need to keep in mind when looking for a VPN service provider are:

  • Their security or keeping logs policies. Read their security policies very well, and note if they are documenting or keeping logs of their client’s information – may it be sessions, timestamps, IP addresses, etc.
  • The VPN service provider has the ability to monitor usage. Sometimes users tend to overuse their connection to servers. VPN service providers should be able to identify this as this can lead to connection leak or connection abuse.
  • A kill-switch feature is also something you need to consider and look for in a VPN service. It should have a kill switch that will allow you to terminate sessions, systems or programs in the event of connection leak or DNS leak or any malicious activities in your system.
  • Payment options are also something that you need to consider. Are they flexible in accepting payment? How do they keep sensitive information? The most common payment plan for VPN providers is PayPal. They also accept cryptocurrencies like Bitcoin, if the user wants to be more anonymous on the transaction.
  • Look to see if the VPN provider is connected to a third party or if it is outsourcing its servers. Many do this. But make sure they are partnering with a credible third-party data center.

Lastly, that you should think about when choosing a VPN service provider is if they allow peer to peer sharing. If you want a VPN which allows you to do file sharing, you need to do some research. Some don’t allow it.

These are just some of the important things that you should consider when picking VPNs. VPNs are getting stronger and stronger, but bugs are getting stronger too. Bugs and system vulnerabilities are also getting stronger and wiser. So extra careful.