WebRTC leaks: what they are and how to prevent them
Even with a VPN, your privacy can still be exposed to dangers
Even the best VPN services cannot prevent your privacy from being exposed at times. This is something that can occur from a leak on your browser, for example.
First discovered in 2015, WebRTC leaks are a serious vulnerability with web browsers that anyone concerned about their online anonymity should be aware of.
Chrome, Firefox, Safari, Opera, Brave, Chromium-based browsers: all these can be affected.
But what even is WebRTC? Here we assess the risks of it leaking as well as the best practices to help prevent it - even if you're somebody who already uses a VPN to try and stay anonymous online.
What is WebRTC?
Short for Web Real-Time Communication, WebRTC it is an open source tool first introduced in 2011 that allows web browsers to manage real-time peer-to-peer connections with the websites they visit.
WebRTC basically enables voices and video communication to work inside web pages, without the need to add any extensions to your browser.
As the Covid-19 pandemic made working from home and other remote communications a necessity, there's been a huge surge in its use. Today, WebRTC is widely popular for video calling and data transferring applications.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Although users can find WebRTC technology really useful, its intrinsic vulnerabilities pose a threat to those concerned of their privacy - whether or not they are using a VPN.
When does a WebRTC leak occur?
It's worth noting from the outset that for WebRTC to work, it must expose your IP address in order to establish its connections. A leak then accordingly occurs when you are trying to establish communications with someone through a browser that uses WebRTC technology. So if you're somebody who is privacy conscious or doesn't like the idea of being tracked as you navigate the internet, this is likely to be of alarm.
And even if you're a conscientious web user who takes care to cover their tracks by using a VPN, WebRTC leaks can still bypass the encrypted tunnel through which your VPN is supposed to protect your privacy. If a leak occurs, your real IP will be then revealed.
How to prevent WebRTC leaks
Thankfully, there are a few tips and tools that can help you prevent these leaks.
The first step for people already using a VPN is is to see whether your real IP address is actually leaking. Carrying out a test is one of the best ways to prevent WebRTC leaks from endangering your privacy, and it's really simple:
- If you have one, disconnect your device from the VPN service
- Note down your IP address - you can simply find it out by searching 'What’s my IP' on the internet
- Exit the browser
- Re-connect to your VPN
- Refresh the page and look for your IP again on a WebRTC leaks online checker. Among those, there are ipleak.net – which also tests for IPv4, IPv6, and DNS leaks - BrowserLeaks WebRTC test and Perfect Privacy WebRTC test. Plus, Some VPN providers like ExpressVPN offer their own WebRTC Leak Test to make monitoring breaches even easier.
If your IP is not being revealed, it should come out a completely different address each time. But if the the series of numbers is the same, a WebRTC leak is likely exposing your IP address.
It is worth mentioning that WebRTC leaks can vary per browser. So if you use Chrome and Firefox for instance, you should test both. You may also want to verify your results by checking your IP address on different platforms.
Once you are sure that there is a WebRTC leak affecting your browser, you have some options to secure your online privacy:
1. Disable WebRTC on your browser
Depending on which search engine software you're using, the process to follow will be different.
Disabling WebRTC technology on Microsoft Edge couldn't be any easier. Simply type into the address bar about:flags to enter the settings. Scroll down and enable the option Hide my local IP address over WebRTC connections before restarting the browser.
Also doing so on Opera is quite intuitive. Open the settings on the left window and tap on Privacy & security. Head down to the section WebRTC and enable the option Disable non-proxied UDP. Restart then the search engine.
With Safari, go to Preferences and click on the Advanced tab. Here, check the box saying Show Develop menu in menu bar. Click on Develop in the menu bar and head on Experimental Features tab you can find in the drop-down menu. Scroll down to disable the WebRTC mDNS ICE candidates option.
If you are using Firefox, write on the search bar about:config. A warranty warning will appear, click on Accept the risk for carry on. At this point tap on Show all. You will see a long list of settings - be careful not to mess them up. To make it easier, search for media.peerconnection.enabled in the top bar. Press the Toggle button on the right so that the value in the middle will be identified as False.
If WebRTC tech can be disabled in Google Chrome for Android via the URL chrome://flags/#disable-webrtc, it cannot be switched off for the desktop version. That's where you must add a dedicated browser extension.
It is worth nothing that Chrome on iOS does not seem to apply the vulnerable parts of WebRTC technology responsible to expose local or external IP addresses - for now, at least.
2. Use a browser extension
Adding a browser extension to your search engine software can be an effective way to prevent WebRTC leaks from happening. As we mentioned before, it may be the only way if your browser doesn't permit switching it off.
Compatible with Chrome and Chromium browsers, WebRTC Leak Prevent prevents WebRTC leaks by controlling hidden WebRTC privacy settings.
While WebRTC Leak Shield protects you from this security threat by disabling the WebRTC technologies and prevent IP leaks.
3. Choose a better VPN service
While many providers claim to prevent WebRTC leaks, many fail to do so. But the good news is that the best VPNs work hard to protect users from WebRTC leaks in their apps.
The ExpressVPN browser extension - currently available from Chrome, Firefox and Edge - is meant for protecting your privacy by preventing websites from discovering your true IP address and location. Among the providers offering a similar feature there also are NordVPN, Surfshark and Avast SecureLine VPN.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com