Stun can also leak local IP info. A couple of years back I managed to satisfy myself and a co-researcher you could use a reference to a stun/turn instance to reveal local IP bindings behind the NAT. It's in the enumerated service capability list (I don't know the proper name for this but it was something the web clients of the day proferred when taken to the URL in the right way)