WebRTC Leaks and Your Privacy (+ how to fix them)

/ data privacy, how-to guide, web browsers

WebRTC can prove useful when you need to use it.

However, did you know that a critical flaw in WebRTC that has yet to be adequately addressed across all browsers leaks your internal (or true) IP address?

And did you know that the browser will leak your true IP address, even if you're using a credible VPN service?

This phenomenon is known as a WebRTC leak and it greatly affects your online privacy.

We'll look into what WebRTC does and how to prevent your browser from leaking your true IP address everywhere.

What is WebRTC?

Let's break down the name first.

WebRTC = Web Real Time Communication

WebRTC lets you communicate by voice, video chat, and other forms of P2P sharing from inside your browser - without downloading any extensions or add-ons.

Originally, WebRTC was released in 2011. However, only in the past couple of years has it become more popular.

You should be aware that while WebRTC is an open-source project, it is created, backed, and heavily endorsed by Google.

If interested, you can view the code repository here.

WebRTC leaks and privacy

To keep it very simple: WebRTC frequently leaks your true or internal IP address.

Your internal IP address is not the same as your external IP address. Your external IP address is assigned by your Internet Service Provider (ISP) and is "meant" to be shared with the Internet.

Your true IP address is meant to only be shared with other devices connected to your local network (ex: your Wi-Fi).

Therefore, to the outside world, it functions as a unique identifier.

When outsiders, such as the web servers that host the websites you visit, get ahold of your internal IP address it compromises your online privacy.

It then becomes easy to collect other more sensitive information such as:

  • Your precise geo-location (frequently within 1-2 miles accuracy)
  • Excessive details about the device you're using (make, operating system, software version{s}, exact model, etc.)
  • Information about other devices on your network

To top it all off, it's not exactly hard for any website to pull your internal IP address from your browser using the WebRTC protocol

Hell, it can be done with just a few lines of JavaScript. Keep in mind that JavaScript has the potential to be executed silently and without the end-user (read: you) even knowing.

And keep in mind that even if you're behind a solid VPN, this can (read: will) happen unless you address the leak in your browser (or VPN service) directly. This happens because the WebRTC traffic doesn't always get routed through the VPN.

Is your browser leaking your IP address?

Here are some reliable tools to check if your browser is leaking your internal IP address:

Fixing browser WebRTC leaks

You can fix browser WebRTC leaks two different ways:

  1. Disabling the WebRTC function in your chosen web browser, if possible.


  1. Installing an extension that fixes or helps curve WebRTC components from leaking your true IP address all over. (However, you should be aware that the extension method isn't always 100% effective.)


You can disable WebRTC altogether in Firefox:

  1. Open Mozilla Firefox
  2. Type about:config into the address bar
  3. If you've never been the advanced settings, you'll see an alert. Click the equivalent of "I accept."
  4. You should be looking at a mostly blank page with a search bar the top. In the search bar on the page, type media.peerconnection.enabled
  5. Double click on media.peerconnection.enabled. It should now say "false."
  6. Restart the browser and retest for leaks


We strongly recommend not using this browser at all. Here's why

On the desktop version of Chrome, you cannot disable WebRTC from within the browser settings.

Your only option is installing an extension that mitigates the potential WebRTC leak.

WebRTC extension recommendations:

It's important to understand that these extensions will not disable WebRTC for you, but rather tweak settings to help prevent leaks from occurring.

And again, even with the tweaking done by these extensions, this is not foolproof. Under specific circumstances, your true IP address can still be revealed via WebRTC leakage.


With Chrome on Android, you can disable WebRTC:

  1. Open Chrome on your Android device
  2. In the address bar, type chrome://flags/#disable-webrtc
  3. Find the setting Disable WebRTC
  4. Click "Enable"
  5. Restart the browser and test for leaks


We strongly recommend not using this browser at all. Here's why

Like Chrome, you can't outright disable WebRTC in Edge. This is because as of 2020, the new Edge uses Chromium, which is the browser engine for the likes of Google Chrome and Brave.

However, you can disable sharing your internal IP address over WebRTC connections:

  1. Open Microsoft Edge
  2. Type about:flags into the address bar.
  3. There's a whole bunch of settings here. Look for Anonymize local IPs exposed by WebRTC (hint: use CTRL+F to the search the page for "hide")
  4. For Anonymize local IPs exposed by WebRTC, select "Enable."
  5. Restart the browser and retest for leaks


Brave is based on the Chromium engine.

Therefore, you can't outright disable WebRTC.

However, you can easily mitigate WebRTC leaks from within the browser settings:

Method 1

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Click on the search icon, located in the upper right of the screen (or press CTRL+F)
  4. In the search bar, type webrtc
  5. Under WebRTC IP Handling Policy, click the drop-down
  6. Select "Default public interface only" from the drop-down
  7. Restart browser and test for leaks

Method 2

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Look for the "Shields" section within the "Settings" page
  4. Click on the drop down for "Fingerprinting blocking"
  5. Select "Strict, may break sites" from the drop-down
  6. Restart browser and test for leaks

Alternatively, since most extensions that work on Chrome also work on Brave, you can install a Chrome extension to handle this for you.

I will say that it's better to use the settings within the Brave browser itself because they're more reliable than the extension solution.


Supposedly, Safari doesn't leak your internal IP address over WebRTC, but many users have experienced otherwise since WebRTC was first introduced into Safari.

The general claim is that WebRTC leaks only seem to affect browsers on Windows platforms. Maybe Linux, depending on the build. This claim is to be taken with a grain salt - but in general (and as always), you should act in according to your own personal threat model.

As you may or may not already know, Apple was relatively "late" in implementing WebRTC in Safari on both its macOS and iOS platforms. Specifically, WebRTC was officially introduced with the release of Safari 11 on both desktop and mobile platforms, circa 2017. Many other web browsers had adapted it earlier.

Disabling WebRTC in Safari:


WebRTC reportedly doesn't leak your internal IP address on iOS. Source

You can still disable WebRTC related features by using the advanced settings for Safari:

  1. Open the Settings app on your iDevice
  2. Tap "Safari"
  3. Scroll all the way down and tap "Advanced"
  4. Tap "Experimental Features"
  5. Disable anything with WebRTC in the name
  6. Open Safari and test for leaks

NOTE: There does not appear to be a way to disable WebRTC outright in iOS. Supposedly this has been the case since the release of iOS 12.


  1. Open Safari and navigate to Preferences
  2. Click on the Advanced tab and then check Show Develop menu
  3. Outside the preferences menu, navigate to Develop > Experimental Features
  4. Check Remove Legacy WebRTC API
  5. Close Safari. Open and then test for leaks

Re-test for IP leaks

After you adjusted your settings accordingly, you'll want to retest the browser for any leaks.

Again, these are solid web tools for testing for WebRTC leaks:

Keep in mind that seeing your external (or public) IP address is fine. What we are concerned about is stopping the leakage of our internal (private or true) IP address.

This should help you keep control of your online privacy. As always, stay safe out there!

Next Post Previous Post