WebRTC in Firefox can be exploited to reveal the IP of a user that has a VPN

RESOLVED DUPLICATE of bug 1297416

Status

()

Core
WebRTC
RESOLVED DUPLICATE of bug 1297416
2 years ago
2 years ago

People

(Reporter: Pine, Unassigned)

Tracking

unspecified
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?][needinfo bwc 2017-1-27], URL)

(Reporter)

Description

2 years ago
I believe that this exploit was first documented in 2015, but in my brief search I found no information indicating that Mozilla is aware of this exploit and attempting to fix it. The exploit involves a remote host using WebRTC to learn the real IP of a user who is connecting to the web via a VPN and using Firefox, and thus compromising that Firefox user's privacy. See https://diafygi.github.io/webrtc-ips/ for a demo. 

One way to limit the harm from this exploit would be to disable WebRTC by default, and to warn the user that enabling WebRTC can compromise their privacy. A fuller solution would be to prevent the leak of the user's real IP, whether IPv4 and/or IPv6, even with WebRTC enabled.
Flags: sec-bounty?
(Reporter)

Comment 1

2 years ago
Note that this appears to apply both to desktop and mobile versions of Firefox.
Removing security flag as this issue is publicly known. I'm not sure which component to send it to, so trying Core::WebRTC. I imagine there may be duplicate bugs already. :dveditz would know.
Group: websites-security
Component: Other → WebRTC
Product: Websites → Core

Comment 3

2 years ago
This is already addressed in
https://bugzilla.mozilla.org/show_bug.cgi?id=1297416
See Also: → bug 1297416
Flags: sec-bounty? → sec-bounty-
Can you say if this is a real bug?
Flags: needinfo?(docfaraday)
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form] [verif?][needinfo bwc 2017-1-27]

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(docfaraday)
Resolution: --- → DUPLICATE
Duplicate of bug: 1297416
You need to log in before you can comment on or make changes to this bug.