Home » Featured » Major Windows Security Flaw Leaks VPN Users Real IP Address
Click Here To Hide Tor

Major Windows Security Flaw Leaks VPN Users Real IP Address

To the author of this article:  We are mailing to your mail2tor.com mail, and don’t think you are getting those mails, please contact us from another address.

Just a few days after learning that the Canadian Government is tracking visitors of popular file-sharing sites security researchers have discovered a major security flaw that reveals Windows VPN users real IP address through WebRTC. Linux and Mac OS X users are not affected by this vulnerability as it is specific to Windows users running Google Chrome and Firefox.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP address and their true IP address, as well as local network addresses.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.

Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false. The Tor Browser Bundle includes the NoScript addon with Firefox but Windows users will want to verify that NoScript is configured properly.

While developments like this can appear frightening, the good news is there is a simple fix. The real problem here however is not the fix, but rather the fact that many users will go about their day to day activities without knowledge of this flaw. It is important to be aware of current security issues and ensure that the latest software updates or fixes are applied to remain anonymous and maintain our privacy and security.

More information on what this does is available from the researcher’s github page:

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”

Two of the top anonymous VPN service providers TorVPN and Private Internet Access addressed the vulnerability on their blogs and forums suggesting that their users test for DNS, email, and IPv6 IP address leaks when setting up their service. [See testing resource links below]

How to fix the WebRTC Security Hole

In Chrome browser there is now a free extension available that will patch this problem directly. You can install this add-on from the Chrome Store here.

In Firefox, there are a few more steps to patch the problem. First, type “about:config” directly into the URL bar and hit enter. Then search for “media.peerconnection.enabled” and double click this option to set it to false.

Testing Resources:

DNSLeak: http://dnsleak.com/

IPLeak: http://ipleak.net/

IPv6 Leak:http://ipv6leak.com/

E-Mail IP Leak: http://emailipleak.com/


  1. The webRTC issue does appear in some browser contexts beyond Windows, as we have confirmed via in-house packet analysis of Linux and OSX traffic.

    Having customers “test for DNS and IP6 leaks” will do absolutely nothing to address this issue, and is worse than useless. It is a shame that such bad advice is handed out by vendors who should know enough to at least stay quiet if they don’t understand a technical subject.

    Meanwhile, we’ve published an opensource fix for the Windows version of the leak, in the form of a script that generates necessary firewall rules to block outbound packets to all known STUN servers used by the major browser classes:

    Additionally, we’ve onboarded this leakblock protection in our Windows network connection widget, so anyone accessing our secure network is protected from this class of information leaks without any additional steps required:

    This is particularly useful given the growing volume of visits to .onion sites that transit via our hybrid Tor-cryptostorm gateway, torstorm… which is itself structurally proofed against the entire category of traffic correlation attacks that are (per Snowden documents) the primary method of de-anonymising attack used by the NSA against visitors to Tor .onion sites worldwide.

    So that’s how we reacted to this particular security issue. We figured we’d let you guys know :-)


    ~ cryptostorm network

    • You are nothing but a VPN vendor trying to spread FUD to promote your company. In other words you are a useless SHILL ! You have contributed nothing to this very real security flaw except in the context of advertising your VPN. A VPN which offers nothing exceptional. Wow, I can buy tokens or use dogecoins. Big Fking Deal. I can pick any VPN company that accepts bitcoin, doesn’t keep logs and isn’t part of the Euro-American dragnet. Your little gimmicks (tokens, tor2web and ” fix ” to the webRtc) are nothing but poor attempts to make your VPN stand out above the others. Well……… it doesnt.

  2. good article

  3. ” Having customers “test for DNS and IP6 leaks” will do absolutely nothing to address this issue, and is worse than useless. It is a shame that such bad advice is handed out by vendors who should know enough to at least stay quiet if they don’t understand a technical subject.”

    What customers and vendors are you talking about ? This article doesn’t say that testing for DNS and IP6 leaks will address the issue. It does tell you exactly how to fix the webRtc stun server leak for chrome and firefox. It also provides a link to the github test to see if your VPN is leaking and if the fix worked.

    You guys have “published an open source fix” ? The fix is in this open source article and has already been published – you moron.

    The links for DNS and IP6 leaks aren’t for ” customers ” and they aren’t to test for webRtc. They are good general sites to check if your VPN is generally working. They are a good resource to have, though they don’t catch the stun server leaks.

  4. When is windows gonna learn

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *