The popular tor browser for Android devices, Orweb is also vulnerable to the WebRTC leak if javascript is enabled. This is a vulnerability affecting all major browsers I've tested so far. Using the STUN protocol, an unpatched browser behind a VPN or socks proxy (like tor, or even ssh) will leak your real IP. Of course, Javascript is disabled by default in Orweb. However, I can only imagine that lots of people turn it on when they need to access content that requires it.
I tested it from behind an OpenVPN server, on a network behind two seperate firewalls. Although my true IP was not leaked, the VPN server's public IP, the VPN local IP, and both LAN network IP addresses were leaked...
It is fixable on all platforms I've tested with Firefox. As far as I know it's still broken in Chrome, as well as Chromium. But I was pretty surprised to see that this also affects Orbot. If you need to use tor on your mobile device, do not enable javascript. You may even be better off proxying Firefox through Orbot and using a script block plugin with https everywhere. Remember, you do need to patch Firefox first, however. That's as easy as navigating to about:config and scrolling to media.peerconnection.enabled and toggling it to false.
What a mess.
No comments:
Post a Comment