Jump to content
Not connected, Your IP: 216.73.216.47
psychlops

VPN Security flaw... does this affect AirVPN?

Recommended Posts

The individual user is at risk. There's also a thread covering this.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Yet one more reason to be on a linux system!  Also, if you are employing a partition of trust with TOR (over Air) the TBB is set to eliminate that risk already.

 

I don't have a windows unit to do some tests with.

Share this post


Link to post
Guest

Or a Mac. Just saying.

Share this post


Link to post

Fix for Chrome users:


 


Adding the WebRTC Block Extension from the Chrome Store seems to fix the problem on Chrome (Windows 8.1).


 


Fix for Firefox users:


 


Type about:config” in the address bar. Scroll down to “media.peerconnection.enabled”, double click to set it to false.

Share this post


Link to post

I am dissapointed , Why hasn't Air made its users aware of this huge security risk ?

 

even now , i don't see an anouncement from staff regarding this issue.

someone has started a thread in the off topic section, fine, but I think this issue is important enough to warrant a staff reaction on the front page.

Or at least in the announcement section of the forum.

 

 

It seems to have been known a long time; see this article from 12 September 2013 https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/

I know it can be solved by setting "network lock" on, but before reading this yesterday i wasn't aware of this.

Share this post


Link to post

I am dissapointed , Why hasn't Air made its users aware of this huge security risk ?

 

even now , i don't see an anouncement from staff regarding this issue.

someone has started a thread in the off topic section, fine, but I think this issue is important enough to warrant a staff reaction on the front page.

Or at least in the announcement section of the forum.

 

 

It seems to have been known a long time; see this article from 12 September 2013 https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/

I know it can be solved by setting "network lock" on, but before reading this yesterday i wasn't aware of this.

 

Hello!

When we have gathered all the data, we will make an announcement. In the meantime, last night we activated a check on ipleak.net pertaining to the issue. Note: only Windows systems with Firefox and Chrome with WebRTC peer connections enabled and Network Lock disabled seem to be affected so far, but we are still investigating.

 

Kind regards

Share this post


Link to post

This ought to be a sticky right about now, untill the thing cools off. It is a nasty one. Everyone else should change all the settings!

Share this post


Link to post

Hmmmm... I don't get it.

 

I checked and my Firefox has the media.peerconnection.enabled set to TRUE.

 

I then went to ipleak.net and saw the IP address of the AirVPN server I'm connected to.

 

Below I see:

 

Private IPv4 detected:

 

And two IP addresses. One is the address of my machine on the internal network (a 192.168.xxx.xxx one, to be clear) which obviously has no privacy impact, the other is an IP which doesn't appear to have anything to do with my ISP, as it's a iana.org address... why does that show up?

 

Edit: by using ipconfig /all I see that the "iana.org" address is the IPv4 Address of the TAP-Windows Adapter that gets installed by Open VPN. But it still does not have anything to do with my ISP...

 

Edit 2: after disabling media.peerconnection.enabled in FF and installing the WebRTC blocking extension for Chrome, I see the difference. No IP is read whatsoever. Without the modifications, though, from what I saw before, I would assume that while using AirVPN one wasn't leaking private information anyway (unless somebody has a use for my machine's local address, that is...).

Share this post


Link to post

Or a Mac. Just saying.

just so mac users don't believe they are safe from this. according to ipleak site my firefox and chromium installations on OSX both leaked my IPs. just saying!

Share this post


Link to post

 

Or a Mac. Just saying. :D

just so mac users don't believe they are safe from this. according to ipleak site my firefox and chromium installations on OSX both leaked my IPs. just saying!

 

Hello!

 

Please provide at your convenience more info: OS X version, tested browsers in particular, thank you!

 

Kind regards

Share this post


Link to post

In the meantime, last night we activated a check on ipleak.net pertaining to the issue.

 

Came here to suggest this and it's already done. Glad I picked AirVPN as provider. Keep up the good work!

Share this post


Link to post
Guest JWW

Hmmmm... I don't get it.

 

I checked and my Firefox has the media.peerconnection.enabled set to TRUE.

 

I then went to ipleak.net and saw the IP address of the AirVPN server I'm connected to.

 

Below I see:

 

Private IPv4 detected:

 

And two IP addresses. One is the address of my machine on the internal network (a 192.168.xxx.xxx one, to be clear) which obviously has no privacy impact, the other is an IP which doesn't appear to have anything to do with my ISP, as it's a iana.org address... why does that show up?

 

Edit: by using ipconfig /all I see that the "iana.org" address is the IPv4 Address of the TAP-Windows Adapter that gets installed by Open VPN. But it still does not have anything to do with my ISP...

 

Edit 2: after disabling media.peerconnection.enabled in FF and installing the WebRTC blocking extension for Chrome, I see the difference. No IP is read whatsoever. Without the modifications, though, from what I saw before, I would assume that while using AirVPN one wasn't leaking private information anyway (unless somebody has a use for my machine's local address, that is...).

 

I had the same result and installed the Chrome extension resulting in 'No leak...' on ipleak. But I still don't fully understand the full implications, if any, of the results we both saw before. Are there any? Can someone enlighten me? 

Share this post


Link to post

 

 

just so mac users don't believe they are safe from this. according to ipleak site my firefox and chromium installations on OSX both leaked my IPs. just saying!

Or a Mac. Just saying.

Hello!

 

Please provide at your convenience more info: OS X version, tested browsers in particular, thank you!

 

Kind regards

 

osx yosemite 10.10.1 with firefox 35.0.1 and chromium 38.

Share this post


Link to post

Tried it on Safari using 10.10.2.  Doesn't seem to be affected.  Chrome and Firefox were though.  Did the suggested action for Chrome and it worked fine.  Just about to do the same for Firefox - I am quite surprised they haven't fixed this themselves yet, but never mind.

Interestingly, on Chrome and Firefox both didn't reveal my real IP before the fix, just some other IP in the UK.  I guess it is worth doing anyway though. 

Share this post


Link to post

just add an app atleast for chrome to block webRTC detection. i added that in chrome and it doesnt show my real ip or dns address.

Share this post


Link to post

Apparently WebRTCBlock does not work anymore for Chrome. Using ScriptSafe, also from the Chrome store, does block everything except my distant AirVPN server on ipleak.net though.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...