WebRTC_LEAK

That didn’t take long. Just a few month’s back TorGuard became aware of a new security vulnerability that allowed websites to find a user’s real IP by making secret STUN requests via WebRTC. Now it appears we have our first case of this actually being used in the wild, ironically in the name of “user privacy”.

Over past few weeks people started noticing something unusual when visiting websites arstechnica.com, washingtonpost.com, nbcnews.com, ft.com, cnbc.com, Bloomberg.com, wired.com and other similar US websites. It appeared that all of these websites were sharing the same advertisement tracking javascript from a URL: s.tagsrvcs.com. Additionally, this URL appears to be logging something every few seconds.

Further analysis of the javascript using Chrome’s devtools revealed that an RTCPeerConnection was created and actively making STUN requests to a server: ph.tagsrvcs.com. While it was difficult to track all of the JS code’s actions, researchers were able to determine the code did attempt to collect the user’s IP address, repeatedly.

Most of us are well aware that websites and online marketing agencies employ various methods of user tracking for analytics and market research. Many choose to block these URLs with apps like the EFF’s PrivacyBadger, however these tools are useless against intrusive WebRTC STUN requests. The only way to completely block these requests is to use TorGuard’s WebRTC leak block feature over VPN, or to ditch javascript entirely.

Let’s Break Some Stuff, eh?

Shortly after this issue began attracting increased attention, Dan Kaminsky, the Security researcher and co-founder of WhiteOps, offered up an explanation:

“Dan Kaminsky here, my apologies for kicking up a ruckus. This is part of a bot detection framework I’ve built at White Ops; we basically are able to detect browser automation using resources exposed in JavaScript. Nothing dangerous to users — or we’d go file bugs on it, which we do from time to time — but it does provide useful data regarding post-exploitation behavior. Happy to jump on a call with anyone concerned or worried; I’m over at [email protected].”

On github, Dan explained that the code was actually part of a project he was working on for ad networks that helped combat the usage of bots:

“This is part of an anti-bot technology I’ve been developing at White Ops (whiteops.com) for some time. There’s a flip side to privacy here; turns out something like 2/3rds of bot fraud comes from home users who get compromised so as to effect more ad fraud. We’re basically attacking the funding channel that gets people hacked. But it does require us to be able to detect the hacking, so we have these tests deployed.”

Only a few days after defending these actions, Dan disabled all STUN requests. Users have confirmed that the WebRTC code is no longer active on these websites and has been replaced with an alternative script.

Don’t Compromise on User Privacy

While the intentions may have been respectable, overreaching actions that negate user privacy almost always come with inherit risks. In this case we must ask ourselves, is it worth breaking internet privacy in the name of advertisement fraud? We think not.

With big data, comes big responsibility. Any ad network that routinely violates user privacy in the name of analytics will in time become a large target themselves for surveillance operations. If you cannot fully trust the person in charge of tracking all that data, good intentions can turn malicious very quickly.

Never entrust your personal privacy to some random website or ad network, who’s terms of service you probably don’t have access to. TorGuard anonymous VPN provides easy to use privacy solutions that blocks advertisers from knowing your personal IP address or true location. With simple VPN apps that feature WebRTC leak block and IPv6 leak prevention measures, you can be sure your personal IP address is no one’s business but your own.

Share this post