I believe that this exploit was first documented in 2015, but in my brief search I found no information indicating that Mozilla is aware of this exploit and attempting to fix it. The exploit involves a remote host using WebRTC to learn the real IP of a user who is connecting to the web via a VPN and using Firefox, and thus compromising that Firefox user's privacy. See https://diafygi.github.io/webrtc-ips/ for a demo. One way to limit the harm from this exploit would be to disable WebRTC by default, and to warn the user that enabling WebRTC can compromise their privacy. A fuller solution would be to prevent the leak of the user's real IP, whether IPv4 and/or IPv6, even with WebRTC enabled.
Note that this appears to apply both to desktop and mobile versions of Firefox.
Removing security flag as this issue is publicly known. I'm not sure which component to send it to, so trying Core::WebRTC. I imagine there may be duplicate bugs already. :dveditz would know.
Component: Other → WebRTC
Product: Websites → Core
This is already addressed in https://bugzilla.mozilla.org/show_bug.cgi?id=1297416
Can you say if this is a real bug?
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form] [verif?][needinfo bwc 2017-1-27]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1297416
You need to log in before you can comment on or make changes to this bug.