23% of VPN Services Leak Users’ Real IP Addresses
Italian researcher Paolo Stagno tested 70 VPN services and found that 16 of them (23%) leak users’ real IP addresses. The issue is related to the use of WebRTC (Web Real Time Communication) technology, which enables audio and video calls directly from the browser. This technology is supported by several browsers, including Mozilla Firefox, Google Chrome, Google Chrome for Android, Samsung Internet, Opera, and Vivaldi.
What Is WebRTC?
WebRTC is an open standard for real-time multimedia communication that works directly in web browsers. The project is designed to enable peer-to-peer streaming of data between browsers or other compatible applications.
How Does the Leak Happen?
According to the researcher, WebRTC uses STUN (Session Traversal Utilities for NAT) and ICE mechanisms to establish connections across different types of networks. A STUN server sends messages containing the IP addresses and port numbers of both the source and the recipient.
VPN services use STUN servers to replace the local IP address with an external (public) IP address and vice versa. However, WebRTC allows packets to be sent to a STUN server, which can then return the user’s “hidden” home IP address as well as local network addresses. These IP addresses are displayed using JavaScript, but since the requests are made outside the usual XML/HTTP procedure, they are not visible in the developer console.
Which VPN Services Are Affected?
According to Stagno, the following 16 VPN services leak users’ real IP addresses:
- BolehVPN
- ChillGlobal (Chrome and Firefox plugin)
- Glype (depending on configuration)
- hide-me.org
- Hola!VPN
- Hola!VPN (Chrome extension)
- HTTP PROXY (in browsers with WebRTC support)
- IBVPN
- PHP Proxy
- phx.piratebayproxy.co
- psiphon3
- PureVPN
- SOCKS Proxy (in browsers with WebRTC support)
- SumRando Web Proxy
- TOR (used as a PROXY in browsers with WebRTC support)
- Windscribe