Massive WebRTC Flaw Hits VPN Services

If you use any of the major VPN services out there, your IP address information could have been put at risk due to a new flaw that’s been discovered in the WebRTC communication protocol.

The problem appears when protected information is passed through popular browsers such as Firefox or Chrome. Thankfully, it’s because the flaw exists in those two pieces of browsing software that it’s also a fairly simple fix.

Whenever a website of a VPN provider is hit with what’s called a “STUN” server request, it’s possible to log incoming and outgoing connections which can then be traced back to real IPs.

For now the problem seems to be limited to Windows machines exclusively, however that could change as the exploit becomes more well known across the net in the next few days.

CEO of TorGuard Ben Van Der Pelt claimed there’s still a way around the issue, recommending that users install the address for their VPN tunnel directly on their router, rather than opting to let the software do the job instead.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

“During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.

“The best case scenario to avoid this vulnerability would be to use the VPN directly on the router, enabling all devices to use the router’s VPN node,” said another VPN provider, Invisible Browsing.

Several other providers, such as PureVPN, have been sending out advisories to users on the matter.


A sample of how the exploit works was posted by Daniel Roester on his GitHub page, along with a tool that users can launch to see whether or not their machine or VPN provider has been affected by the unpatched hole.

To fix the problem on the software side of things, there are two different techniques for each browser.

First, in Chrome a user can install the WebRTC block extension which was specifically created for the purpose of plugging up the channel that the STUN command runs through to get to the server.

Another option is to run ScriptSafe, which is an overarching solution that prevents unrecognized scripts from launching in the first place.

If you’re on Firefox, the patch is even easier. Simply install the NoScript addon, and you’re on your way.