Chromium based browsers leak user local IP via WebRTC foundation attribute

Many comments on this thread are about the pros and cons of leaking the local IP <i>in an ICE candidate entry</i>. You can certainly discuss this, but in my understanding, that&#x27;s not what this post is about at all.<p>The issue is about leaking the local IP in the <i>foundation</i> which is supposed to be some sort of opaque UUID - the local IP isn&#x27;t supported to be in there at all, whether you want LAN connections or not.<p>Is this correct?

This can be disabled in Brave by turning &quot;WebRTC IP handling policy&quot; to &quot;Disable non-Proxied UDP&quot; in &quot;settings - &gt; Privacy and Security&quot;.

What’s the issue there? How is knowing the local IP a security issue?<p>And FWIW, the local IP does not get leaked when using a VPN. (edit: Or rather, the VPN local IP gets leaked. Same question, no idea if that’s security relevant in some way?)<p>edit: Thanks everyone, I completely forgot about fingerprinting.

WebRTC was already known to leak local IP. Which can be dangerous if you&#x27;re behind a VPN.<p>I use two browsers. One with WebRTC disabled (Firefox) and one with WebRTC enabled (Safari&#x2F;Chromium). The former also runs a myriad of other addons which increase privacy. The latter I use to connect to PiKVM.

If you are unfamiliar with WebRTC I recommend checking out &quot;WebRTC for the Curious&quot;:<p><a href="https:&#x2F;&#x2F;webrtcforthecurious.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;webrtcforthecurious.com&#x2F;</a><p>WebRTC is designed to be secure, so a privacy leak is not good.

I am using Microsoft Edge and the test on the linked page times out without detecting anything. Perhaps it is because I&#x27;ve enabled the &quot;Anonymize local IPs exposed by WebRTC&quot; flag.

Has this been reported to Chromium &#x2F; WebRTC? At a quick glance I don&#x27;t see it in the WebRTC bug tracker.

The root technical issue here seems to be that the IPv4 space is fundamentally pretty small and easy to search, the browser just uses a crc32 to obscure the local IP address, and you can write code to brute force it with a little sophistication.<p>The security impact, as others are pointing out, is pretty minimal. Knowing a local IP address behind a NAT isn&#x27;t &quot;not&quot; a privacy issue (e.g. I can see things like gaming anti-abuse using tricks like this to discriminate users who need to be blocked vs. normal players), but it&#x27;s not much of one.

How to disable WebRTC on Firefox Mobile? I have uBlock which prevents from leaking the local IP but I don&#x27;t want WebRTC at all.<p>Why did they take about:config from us?

* <a href="https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Prevent-WebRTC-from-leaking-local-IP-address" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gorhill&#x2F;uBlock&#x2F;wiki&#x2F;Prevent-WebRTC-from-l...</a><p>* <a href="https:&#x2F;&#x2F;browserleaks.com&#x2F;webrtc" rel="nofollow">https:&#x2F;&#x2F;browserleaks.com&#x2F;webrtc</a>

Is user IP leaked to another peer if there is a media server (like Kurento) between peers? I’ve worked in 2 WebRTC-based projects and in both cases the connection was not actually P2P, but had some kind of media server in between, either to mux multi-user conferences or to re-encode the media to a format supported by the other peer.

I&#x27;m not getting a leak with Chromium, but that is probably because I have my policy set to `default_public_interface_only`. I believe this is by design as WebRTC notoriously leaks local IPs.

WebRTC again. On the same page. There is no isolation between remote and local networks in browsers.

I seem to recall Fallon (based on Chromium) has a feature which disables that.

What does &quot;Used 0 keys for lookups&quot; mean?

I think uBlock Origin prevents that.

It gets &quot;leaked&quot; to a web app that I&#x27;m choosing to connect to? Why do I care?