When discussing online privacy and VPNs, the topic of WebRTC leaks and vulnerabilities often comes up.
While the WebRTC issue is often discussed with VPN services, this is, in fact, a vulnerability with web browsers – Firefox, Opera, Chrome, Brave, Safari, and Chromium-based browsers.
So what is WebRTC?
WebRTC stands for “Web Real-Time Communication”. This basically allows for voice, video chat, and P2P sharing within the browser (real-time communication) without adding extra browser extensions – further described on Wikipedia here.
What is a WebRTC leak?
A WebRTC leak is when your real IP address is exposed via your browser’s WebRTC functionality. This leak can de-anonymize you via WebRTC APIs, even if your VPN is working correctly.
If you have not protected yourself against WebRTC leaks in your browser, any website you visit could obtain your real IP address through WebRTC STUN requests. This is a serious problem.
While the WebRTC feature may be useful for some users, it poses a threat to those using a VPN and seeking to maintain online anonymity without their real IP address being revealed.
The WebRTC Vulnerability
The fundamental vulnerability with WebRTC is that your true IP address can be exposed via STUN requests with Firefox, Chrome, Opera and Brave, Safari, and Chromium-based browsers, even when you are using a good VPN.
Daniel Roesler exposed this vulnerability in 2015 on his GitHub page, where he stated:
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
Will a VPN protect me against WebRTC leaks?
Just like with browser fingerprinting, the WebRTC issue is a vulnerability with web browsers. As such, it is best to address the root cause of the issue by fixing the vulnerability with your browser, which we will cover below.
Nonetheless, there are some VPNs that protect against WebRTC vulnerabilities. I have tested two VPNs that protect users against WebRTC leaks via firewall rules:
- Perfect Privacy – The Perfect Privacy VPN clients are configured to protect against WebRTC vulnerabilities. I tested this with Windows and Mac OS.
- ExpressVPN – ExpressVPN has recently updated their software to further protect users against WebRTC leaks. I tested the updated software on Windows and Mac OS and verified that it protects against WebRTC leaks.
Note – Given that the WebRTC vulnerability is a tricky issue, it is still best to fix the problem in your browser, rather than relying solely on a VPN for protection.
WebRTC leak solutions
Here are three different options for dealing with the WebRTC issue:
1. Disable WebRTC in the browser (Firefox) and only use browsers with disabled WebRTC capability. (Instructions are below.)
2. Use browser add-ons or extensions if disabling WebRTC is not possible. (Disabling WebRTC is not possible with Chrome and Chromium-based browsers, such as the Brave browser.)
Note: browser add-ons and extensions may not be 100% effective. Even with add-ons, the vulnerability still exists in the browser to reveal your true IP address with the right STUN code.
WebRTC fixes and add-ons
Below are different fixes for various browsers.
Disabling WebRTC is very simple in Firefox. First, type about:config into the URL bar and hit enter. Then, agree to the warning message and click “I accept the risk!”
Then, in the search box type “media.peerconnection.enabled“. Double click the preference name to change the value to “false“.
WebRTC is completely disabled in Firefox and you won’t have to worry about WebRTC leaks.
Chrome WebRTC (desktop)
Since WebRTC cannot be disabled in Chrome (desktop), add-ons are the only option (for those who do not want to just give up on using Chrome).
As pointed out above, it is important to remember that browser add-ons are may not be 100% effective. In other words, you may still be vulnerable to WebRTC IP address leaks under certain circumstances. Nonetheless, here are some add-ons that may be worth considering:
Note: Unlike with Firefox, these extensions only change WebRTC’s security and privacy settings.
Another obvious solution is to stop using Chrome.
Chrome WebRTC (mobile)
On your Android device, open the URL chrome://flags/#disable-webrtc in Chrome.
Scroll down and find “WebRTC STUN origin header” – then disable it. For safe measure, you can also disable the WebRTC Hardware Video Encoding/Decoding options, though it may not be necessary.
Note: Android users can also install Firefox, and disable WebRTC via the steps above.
Just like with Chrome, the only way (as of now) to address the WebRTC vulnerability in Opera is to use an extension.
First, download the extension “WebRTC Leak Prevent” to your Opera browser.
Then in the Advanced options for the WebRTC Leak Prevent extension, select “Disable non-proxied UDP (force proxy)” and then click Apply settings.
Again, because this is an extension solution, it may not be 100% effective.
Because the Brave browser is based on Chromium, it is also vulnerable to WebRTC IP address leaks, even when you are using a VPN.
There are two ways to block WebRTC in the Brave browser:
Method 1) Via Fingerprinting protection – Go to Preferences > Shields > Fingerprinting Protection > and then select Block all fingerprinting. This should take care of all WebRTC issues – at least on desktop versions of Brave (Windows, Mac OS, and Linux).
Method 2) Go to Preferences > Security > WebRTC IP Handling Policy > and then select Disable Non-Proxied UDP. This should also block WebRTC IP leaks in the Brave browser.
Note: I have seen some complaints from users who claim that WebRTC is not getting blocked on iOS, despite making the changes above. Brave developers appear to have confirmed this issue and are working on a fix.
WebRTC leaks have traditionally not been an issue with Safari browsers (on Mac OS and iOS devices). However, Apple is now incorporating WebRTC into Safari, although it’s still technically an “experimental” feature. Nonetheless, it’d be wise to disable WebRTC in Safari for privacy reasons. Here’s how:
- Click “Safari” in the menu bar
- Then click Preferences
- Click on the “Advanced” tab, then at the bottom check the box for “Show Develop menu in menu bar”
- Now, click on “Develop” in the menu bar. Under the “WebRTC” option, if “Enable Legacy WebRTC API” is checked, click on it to disable this option (no check mark).
That will effectively disable WebRTC in Safari.
Test for WebRTC leaks
Ok, now that you’ve disabled or blocked WebRTC in your browser, you can run some tests.
As noted in my guide on testing your VPN, there are three different test websites for WebRTC:
- Perfect Privacy WebRTC Test (This tool will test to see if you have a WebRTC leak, while also providing a detailed explanation of WebRTC leaks at the bottom of the page.)
- BrowserLeaks WebRTC Test (Another WebRTC test that works well, also includes helpful WebRTC information.)
- ipleak.net (This is an all-in-one test tool, to include WebRTC leaks)
Note: If you are seeing a local IP address, this is not a leak. A WebRTC leak will only be with a public IP address.
Here I’m running a test in the Firefox browser with ExpressVPN:
You can see the ExpressVPN client on the right, with the test results on the left. No leaks!
Conclusion on WebRTC leaks and browser vulnerabilities
The WebRTC leak vulnerability highlights a very important concept for those seeking a higher level of online anonymity and security through various privacy tools.
The browser is usually the weak link in the chain.
The WebRTC issue also shows us that there may be other vulnerabilities that exist with our privacy setup, which we are not even aware of. (The WebRTC issue was not publicly known until 2015.)
One other problem to be aware of is browser fingerprinting. This is when veracious settings and values within your browser and operating system can be used to create a unique fingerprint, and thereby track and identify users. Fortunately, there are effective solutions for this as well.
And lastly, there are many different secure and private browsers to consider, many of which can be customized for your own unique needs.
Last updated August 20, 2019, to include new information and instructions for disabling WebRTC in the Safari browser.