WebRTC Security: Real-Time Data Flaw Leaks Endpoint IP Addresses

For years, CPaaS API, e-commerce, content management system and other online solutions providers have known that browsers make real-time communications WebRTC security vulnerable to data flaws and IP address leaks. Yet the WebRTC flaw has persisted due to benign neglect, ignorance, sloth or just plain laziness, endangering data privacy for endpoint security customers and their MSSP partners. That’s important because many remote workers such as IT directors, road warriors, computer engineers and other personnel rely on real-time voice and video communications made possible by WebRTC. But they shouldn’t have to risk their endpoint security, IP addresses and data privacy in the process.

GeoEdge’s Adi Zlotkin

“WebRTC technology exists in all modern web browsers,” said Adi Zlotkin, head of security at GeoEdge, which has published a white paper on WebRTC malvertising. “WebRTC protocols are an open framework that provides browsers and mobile applications with real-time communications capabilities via simple APIs, allowing platforms to communicate via a common set of protocols. This open source technology is essential in sharing videos, yet can be exploited and used as a white encrypted data channel. Due to its peer-to-peer protocols, the technology is highly attractive to attackers, and the attacks launched are extremely difficult to detect since the data is sent directly between peers.”

So the very capabilities that make real-time communications possible through WebRTC are what put endpoint security at risk. And all the major browsers — Chrome, Edge, Firefox — have WebRTC flaws to some extent, which make WebRTC leaks inevitable.

SecurityScorecard’s Alex Heid

“WebRTC has powerful features that can reveal the real IP address, location and other identifying metadata about a user,” said Alex Heid, chief R&D officer at SecurityScorecard, a security company with solutions for measuring and communicating security risk. “Even when VPN services or other anonymization technologies are in place, web browsers configured to allow the WebRTC protocol can hypothetically be leveraged by attackers to obtain information about a target system or exploit a vulnerability in the application or browser. The WebRTC framework is open source, and therefore the code is available for analysis by both developers and malicious actors. Widespread adoption of WebRTC indicates this protocol will be a popular client-side attack vector going forward.”

WebRTC Security Leaks and Data Privacy Risks

Any two devices talking to each other directly via WebRTC need to know each other’s real IP addresses, according to network security experts. So in theory, a third-party website can exploit WebRTC leaks in your browser to detect your real IP address and use it to identify you.

Top10VPN.com’s Callum Tennent

“Technically, these WebRTC leaks aren’t flaws, they’re simply part of the browser design,” said Callum Tennent, site editor, Top10VPN.com a virtual private network (VPN) review website. “Efficient IP sharing is supposed to provide convenience and speed, so WebRTC uses clever techniques to figure out your true IP address and get around any firewalls that might otherwise prevent your real-time connection from taking place.”

The problem with WebRTC is that it uses techniques to discover your IP address that are more advanced than those used in “standard” IP…