At least 20 percent of studied VPNs were said to be leaking the IP addresses of their clients. The news is worrisome as users rely on VPNs to do investigative journalism and in repressive states.
VPNs are lauded for their ability to keep people’s data safe at all times. However, a new report indicates that at least 20 percent of modern-day VPNs are leaking their customers IP addresses. The report indicates that the mistake is happening because of the WebRTC bug. The bug has been known to be on the market since January 2015. Some VPN providers, however, claim that they had never had the bug.
A security researcher known as Paolo Stagno made the report. Stagno, who is also known by an alias name, VoidSec, just recently managed to audit some 83 VPNs. The audit was done on the old WebRTC IP leak. In his VPN audit, Stagno discovered that at least 17 of the VPNs were at fault. The VPNs were leaking the IP addresses of their users when they came to browse on the internet.
He managed to publish his discovery on a Google Docs Spreadsheets.
Stagno said that he could not audit all the commercial VPN clients due to a lack of funds. Therefore, Stagno says users should test their own VPN clients and in the end send their results to him. He managed to create a demo website through which users could make use of for the test. The code that Stagno used on the web page is also available on GitHub. This helps in case of users who don’t want to expose their data on someone’s server.
The code that Stagno is using is there to detect the WebRTC bug. The bug itself was discovered back in January 2015 and has been on the market ever since. The bug was discovered by another security researcher named, Daniel Roesler. During his research, Roesler had discovered that the WebRTC STUN servers were able to keep a record of users public IP addresses. They also managed to keep the private address, only in cases were the user was using a NAT network, proxy or a VPN service. The servers are used as a mediator for WebRTC connections.
The issue arose because the STUN servers would then show this information to any website that had already a connection with the browser. Because of this, many law enforcement agencies, advertising companies, and criminals have exploited the bug to get users IP addresses when they want.
Most browsers are said to come with the integrated WebRTC feature on board. However, after the exposure of the bug, they all released patches to the bug. These patches would help stop the IP leak, but at the same time, they also limited some of WebRTC features. The patches, however, did not mean the WebRTC features were disabled. The feature is by default enabled on most major internet browsers. The exceptions are the Tor Browser, Internet Explorer, and the Edge browser.
The discovery comes at a time when some researchers recently discovered that some VPNs are keeping logs of files. Clearly, we have a long way to go before we fully can trust technology and each other.