Critical VPN Security Flaw Leaks Customer IP Addresses

Over the past few years, we’ve seen a veritable avalanche of security breaches and data leaks, while Congress has passed laws demolishing what little regulation existed to control how ISPs gather and sell your data. This has led many people to look for third-party privacy solutions. Virtual private networks (VPNs) offer a solution to some of these issues by masking one’s browsing habits, but only if the VPNs are themselves secure. New security research suggests many of them aren’t.

Paolo Stagno, who goes by VoidSec, has put together a comprehensive list of the VPN providers and web browsers that are impacted by the bug. WebRTC is an open source project that provides audio and video communication directly in-browser without an intrinsic need to integrate third-party applications. Audio, video, and networking components can be accessed in-browser via JavaScript API. This flaw isn’t new — it was discovered in 2015 — but providers haven’t done a good job of patching it.

VoidSec tested a total of 70 VPNs thus far and found that 16 of them leak data via this known WebRTC bug. He also set up a website you can use to test if your VPN leaks information, demo code you can run if you don’t want to submit your IP address to a web host, and a Google document where users can submit their own findings. In order to function, a VPN has to know both your real IP address and the public IP address it has assigned to you. WebRTC shouldn’t be allowed to query that information, but thanks to this bug, it can. This means the protocol can be used to unmask anyone using a VPN. VoidSec writes:

WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.

The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console.

The only requirement for this de-anonymizing technique to work is WebRTC and JavaScript support from the browser.

The following VPNs leak IP addresses:

As for browser-level vulnerability, be advised that most browsers rely on WebRTC and enable it by default. BleepingComputer also notes that another recent investigation by TheBestVPN.com found that many prominent VPN providers also log critical user details, including VyprVPN, Anonymizer, HideMyAss, and HolaVPN. Different companies log different things, but personal details, IP addresses, connection timestamps, device types, payment information, and the various websites you visit are all logged by at least some of these companies. In short, don’t assume that just because you’re using a VPN your data is actually being kept private in any meaningful way.

Continue reading

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Recent iPhone Security Hole Becomes Universal Jailbreak

Apple urged iPhone owners to install the latest update to iOS last month, but that in and of itself wasn't unusual. What was unusual was the reason for the update. Apple rolled out iOS 14.4 to plug a security hole that online criminals were actively exploiting. Now, that vulnerability has popped up again as a universal jailbreak for iDevices.

The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft Backtracks: Older PCs Won’t Receive Windows 11 Security Updates

Restricting feature updates and driver installations is fine. Security updates are a bridge too far.