WebRTC Leaks and Your Privacy (+ how to fix them)

/ data privacy, web browsers, how-to guide

This post was originally published on 31 JAN 2021; it has since been updated and revised.

WebRTC can prove useful when users need to use it, which is most commonly during peer-to-peer (P2P) calling in the browser.

However, a critical flaw yet to be directly and adequately addressed across all browsers exists in WebRTC that leaks users' internal IP addresses? Even if using a trusted and leak-resistant VPN service, the IP address can leak through this flaw.

This phenomenon is known as a WebRTC leak and it can have an impact on privacy while remaining "invisible" to the user.

What is WebRTC?

WebRTC = Web Real Time Communication

WebRTC allows users to communicate by voice, video chat, and other forms of P2P sharing from directly inside the browser - without downloading any additional extensions or add-ons. WebRTC was released officially in 2011. However, only in recent years has it become more popular.

WebRTC is an open-source project, but it is created, backed, and heavily endorsed by Google.

WebRTC leaks and privacy

WebRTC leaks a user's internal IP address and can leak the external IP address as well. This leak can occur from even behind a well implemented and trusted VPN provider. WebRTC leaks are not the same as DNS leaks or IPv6 leaks which are almost entirely a problem with VPN configuration settings.

Your internal IP address is not the same as your external IP address. Your external IP address is assigned by your Internet Service Provider (ISP) and is "meant" to be shared with the internet. However, users who wish to hide their IP address via a VPN are compromised via these leaks.

The internal IP address is meant to only be shared with other devices connected to your local network, such as a user's home Wi-Fi. If leaked to the outside world, it can serve as an even more unique identifier than the external IP address meant to be shared with other machines on the internet.

Naturally, this poses a problem in protecting and maintaining online privacy.

While IP addresses exposed on the internet aren't necessarily a large concern of itself, the collection of IP address data alongside other tracking methods and fingerprinting methods pose a serious hurdle for users seeking improved online privacy. This is especially true if a user is accidentally and silently leaking their IP address even while taking privacy and cybersecurity enhancing measures.

IP addresses can be used to collect or infer with reasonable accuracy information such as:

  • Your precise geo-location (frequently within 1-2 miles accuracy)
  • Excessive details about the device you're using (make, operating system, software version{s}, exact model, etc.)
  • Information about other devices on your network
  • ISP information

Perhaps the worse thing about WebRTC leaks is that most methods websites use to pull an IP address via WebRTC are silent. In fact, just a few lines of JavaScript executing silently can use a WebRTC leak to pull an IP address even from behind a VPN as WebRTC traffic doesn't always route through the VPN.

Most times, the end-user would be totally unaware of this happening.

Is your browser leaking your IP address?

Tools are available to evaluate whether the browser is leaking information via WebRTC:

These tools emulate the common techniques websites use to pull from this information from the browser. Again, as noted earlier, most of these techniques happen silently and without the expressed knowledge of the user. Denying cookies does nothing to alleviate this.

Fixing browser WebRTC leaks

Two main ways to fix WebRTC leaks include:

  1. Disabling the WebRTC function in a chosen web browser, if possible.

or

  1. Installing an extension that fixes or helps curve WebRTC components from leaking the internal IP address.

Users should be aware the extension method _isn't_ always 100% effective.

Firefox

WebRTC can be completely disabled in Mozilla Firefox:

  1. Open Mozilla Firefox
  2. Type about:config into the address bar
  3. If you've never been the advanced settings, you'll see an alert. Click the equivalent of "I accept."
  4. You should be looking at a mostly blank page with a search bar the top. In the search bar on the page, type media.peerconnection.enabled
  5. Double click on media.peerconnection.enabled. It should now say "false."
  6. Restart the browser and retest for leaks

Chrome

This browser isn't recommended for users seeking privacy.

On the desktop version of Chrome, WebRTC cannot be disabled from within the browser settings.

The only option to disable WebRTC in Google Chrome is via installing an extension that mitigates WebRTC leaks.

WebRTC extension recommendations:

It's important to understand that these extensions will not disable WebRTC, but rather tweak settings to help prevent leaks from occurring.

And again, even with the tweaking done by these extensions, this is not foolproof. Under specific circumstances, IP address information can still be revealed via WebRTC leakage.

Android

With Chrome on Android, WebRTC can be disabled:

  1. Open Chrome on your Android device
  2. In the address bar, type chrome://flags/#disable-webrtc
  3. Find the setting Disable WebRTC
  4. Click "Enable"
  5. Restart the browser and test for leaks

Edge

This browser isn't recommended for users seeking privacy.

Like Google Chrome, WebRTC cannot be disabled within Edge. Starting in 2020, the new version of Microsoft Edge uses Chromium like Google Chrome and the Brave Browser.

However, Edge does have a setting to disable sharing the internal IP address over WebRTC connections:

  1. Open Microsoft Edge
  2. Type about:flags into the address bar.
  3. There's a whole bunch of settings here. Look for Anonymize local IPs exposed by WebRTC (hint: use CTRL+F to the search the page for "hide")
  4. For Anonymize local IPs exposed by WebRTC, select "Enable."
  5. Restart the browser and retest for leaks

Brave

Brave is based on the Chromium engine. Therefore WebRTC cannot be disabled from within the browser.

However, WebRTC leaks can be mitigated from within the Brave Browser's settings:

Method 1

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Click on the search icon, located in the upper right of the screen (or press CTRL+F)
  4. In the search bar, type webrtc
  5. Under WebRTC IP Handling Policy, click the drop-down
  6. Select "Default public interface only" from the drop-down
  7. Restart browser and test for leaks

Method 2

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Look for the "Shields" section within the "Settings" page
  4. Click on the drop down for "Fingerprinting blocking"
  5. Select "Strict, may break sites" from the drop-down
  6. Restart browser and test for leaks

Alternatively, since most extensions that work on Chrome also work on Brave, it's possible to install an extension to mitigate potential WebRTC traffic leaks.

Users may find the settings within Brave to be more reliable for mitigating WebRTC leaks as opposed to using extensions.

Safari

Supposedly, Safari doesn't leak IP address information via WebRTC, but many users have experienced otherwise since WebRTC was first introduced into Safari.

Allegedly, WebRTC leaks allegedly only affect browsers on Windows platforms and potentially on Linux systems, depending on the distro. This claim is yet to be proven and should be taken with a grain of salt.

Apple was relatively "late" in implementing WebRTC in Safari on both its macOS and iOS platforms. Specifically, WebRTC was officially introduced with the release of Safari 11 on both desktop and mobile platforms, circa 2017. At this point in time, many web browsers had long adapted and incorporated WebRTC into their source code.

Disabling WebRTC in Safari:

iOS

WebRTC reportedly doesn't leak your internal IP address on iOS. Source

You can still disable WebRTC related features by using the advanced settings for Safari:

  1. Open the Settings app on your iDevice
  2. Tap "Safari"
  3. Scroll all the way down and tap "Advanced"
  4. Tap "Experimental Features"
  5. Disable anything with WebRTC in the name
  6. Open Safari and test for leaks

NOTE: There does not appear to be a way to disable WebRTC outright in iOS. Supposedly this has been the case since the release of iOS 12.

macOS

  1. Open Safari and navigate to Preferences
  2. Click on the Advanced tab and then check Show Develop menu
  3. Outside the preferences menu, navigate to Develop > Experimental Features
  4. Check Remove Legacy WebRTC API
  5. Close Safari. Open and then test for leaks

Re-testing for IP leaks

After adjusting settings accordingly, users will want to retest the browser for any leaks:

  • Ensure the correct settings are enabled (or extensions are installed and active).
  • Restart the browser
  • Re-test for leaks

Again, these are solid web tools for testing for WebRTC leaks:

Keep in mind that seeing the external (or public) IP address is fine in most cases if not behind a VPN.

Final thoughts

WebRTC leaks are silent and websites engaging in tracking and fingerprinting can just as silently pull information leaked via WebRTC traffic.

Even if using a VPN, users should take steps to address potential WebRTC from inside their chosen browsers. All browsers are subject to WebRTC leaks.

Preventing WebRTC leaks is a relatively painless way to improve any given user's online privacy.

Stay safe out there!

Next Post Previous Post