WebRTC leaks and ways to prevent them

20 April 2022
WebRTC-based applications can do wonders for your development project, as the protocol enables easy communication with hardly any downsides. However, for privacy-conscious users, WebRTC leaks still pose a significant challenge. What exactly are WebRTC leaks, and how can you avoid them?

Table of Contents

What is a WebRTC leak?

The term “WebRTC leak” refers to an instance in which, during that process, an IP address of one of the participants of a WebRTC-based connection is visible to unauthorized third parties – it leaks out, so to speak.

Although WebRTC leaks are mostly about IP addresses, there is an added risk of information about media devices on your computer leaking out too. This includes peripherals like CD/DVD drives, audio input/output devices, microphones, cameras, etc. Luckily, device IDs that could be used to precisely identify and access the devices are safe, but a malicious actor can have a view into what kinds of devices are connected to your computer through a WebRTC leak.

How does a WebRTC leak happen?

Under the WebRTC protocol, the connection is facilitated by a signaling server negotiating the optimal route between the end-users. As discussed in our previous blog post detailing WebRTC servers, in that process, a STUN server will extract the information needed to establish the connection, including IP addresses, from users with additional security layers like firewalls or NAT devices. 

Depending on the app used to facilitate connection, sensitive information, like IP addresses, might be available in Javascript, making it easier to access. STUN servers submit their requests outside of the regular XMLHttpRequest process – an API for transferring information from a browser to servers – so you would not be able to spot a leaky request in the developer console.

Why are WebRTC leaks dangerous?

An IP address can reveal much more information about the user than you’d think. IP addresses can be used to pinpoint specific users, which could be problematic for public figures and targeted groups, as a third party obtaining your IP address could have the means to track your exact location. This could lead to a practice called “doxxing,” meaning your personal information, including your home address and contact information, could become publicly available. This could potentially lead to very dangerous situations.

The IP address can also be used to identify specific people for advertising, marketing purposes, and government surveillance. For some people, including targeted groups and the privacy-conscious, this would be undesirable and could constitute a threat.

How to prevent WebRTC leaks

WebRTC leaks can be avoided with a few possible solutions.

Use a trusted VPN connection

A reliable, trusted VPN (Virtual Private Network) will successfully mask your IP address from potentially malicious actors who could try to extract it. Ensure your VPN of choice is secure: before connecting, try searching the phrase “what’s my IP address” on your device and write down the resulting IP address. Then, connect to the VPN and repeat the query – if the IP address shown now is different, it means it’s protected from leaks by the VPN connection.

Use a different browser

Most internet browsers used nowadays are pretty good at protecting you from WebRTC leaks. However, if you cannot verify if your browser protects you well enough, try switching to a browser that guarantees that sort of protection from the get-go. There are several privacy-conscious web browsers, and their availability is growing rapidly.

Disable WebRTC in your browser

If you wish to further secure yourself, you can fully disable the WebRTC functionality in your browser’s settings. This will prohibit you from establishing WebRTC-based connections, but it could be helpful in certain delicate situations. You can always enable WebRTC in your browser again if needed.

Use secure STUN servers

When setting up your WebRTC application, remember to choose secure, reliable servers for essential functions, like STUN devices. If a hosting provider offers layers of protection to the data passing through the servers, it minimizes the risk of leaks at the very core.

Want to know more?

Our blog covers many topics regarding worldwide connectivity, game and app development, and industry-related topics. Keep an eye on our blog and follow us on social media to get all the information first!

Main Take-Aways
Secure your communications by using our dedicated servers, finetuned for optimal signaling and routing. Together with our ultra-low latency network, it effortlessly handles high volumes of traffic on popular WebRTC-based solutions.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.