Some time ago, during a small event in my city, I’ve presented a small research on “decloaking” the true IP of a website visitor (ab)using the WebRTC technology.
WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.
Is a component allowing calls to use the STUN and ICE mechanisms to establish connections across various types of networks? The STUN server sends a pingback that contains the IP address and port of the client
These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.).
WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.
This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and in the past (TOR users).
Browsers that have WebRTC enabled by default:
23% of the tested VPNs and Proxies services disclosed the real IP address of the visitors making the users traceable.
The following providers leaks users’ IP:
You can find the complete spreadsheet of tested VPN providers here: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different paid VPN services :P)
Some tips to follow in order to protect your IP during the internet navigation:
You can check if your VPN leaks through this POC: http://ip.voidsec.com
I’ve updated Daniel Roesler code in order to make it works again and you can find it on Github.
Paolo Stagno (aka VoidSec) is a Cyber Security Researcher and a Penetration Tester focused on the Offensive Security field. He is specialized in Security Research, Penetration Tests, Vulnerability Assessment, Network and Application Security. He is working as an external consultant for a wide range of clients across top tier international banks, major companies and industries.
(Security Affairs – WebRTC, VPN)