Sites may detect the local IP address in browsers supporting WebRTC

Whenever you connect to sites on the Internet information about the connection and the underlying system are available to the site automatically.

Information includes the web browser and version used to connect, the language, operating system and also the remote IP address.

While there are means to prevent the IP address from being revealed, by using proxy servers or virtual private networks for example, one IP address is revealed in the end.

The local IP address on the other hand was protected up until now which meant that sites could not use JavaScript to look it up. While plug-ins like Java allow sites to do that, users are usually notified when plug-in contents are executed on sites.

The recent integration of WebRTC in Firefox, Chrome and other Chromium-based browsers such as Opera have privacy implications as sites may use it to detect the local IP address of the computer.

You can test this by visiting this Github page which will reveal the local and public IP address when opened.

The main issue is that the local IP address can be used to identify your system when used in conjunction with other information retrieval techniques.

So how does it work?

WebRTC allows requests to be made to STUN servers (Session Traversal Utilities for NAT) which return local and public IP addresses for the system that is used by the user.

The results can be accessed using JavaScript which means that the only requirements for this to work are WebRTC support in the browser and JavaScript.

Protection

Ad-blockers such as Adblock Plus or Ghostery don't block these requests as they are made outside of the "normal XMLHttpRequest procedure".

 

The only extensions that block these look ups are JavaScript blocking extensions such as NoScript for Firefox. It is naturally also possible to disable JavaScript to prevent this from happening but this renders many websites unusable as well.

Firefox users can disable WebRTC

1. Type about:config in the browser's address bar and hit enter.
2. Confirm you will be careful if the prompt appears.
3. Search for media.peerconnection.enabled.
4. Double-click the preference to set it to false. This turns of WebRTC in Firefox.

Note: Turning of WebRTC means that services and applications that make use of it, such as Firefox Hello, won't work anymore.

Google Chrome and other Chromium-based browser users can install the WebRTC Block extension which disables WebRTC in the browser.

Additional information about WebRTC spying are available here.