WebRTC Leaks: A Complete Guide

VPNs protect our online privacy by hiding our IP addresses, but did you know that there's a browser feature that can compromise our anonymity, even when we're connected to a VPN?

By
&
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated on Sep 23, 2021
By Aliza Vigderman & Gabe Turner on Sep 23, 2021

This feature is WebRTC, and today, we’ll talk about everything there is to know about it. What is WebRTC? Why do WebRTC leaks happen? And most importantly, how can we protect ourselves from this vulnerability?

Kaspersky WebRTC Leak Test on Windows
Kaspersky WebRTC Leak Test on Windows

WebRTC Leaks

To put it simply, WebRTC leaks can reveal your device’s public IP address, which is the unique identifier that your internet service provider assigned to your device.

That can be problematic, especially if you’re using a VPN. The whole point of using VPNs is to conceal your public IP addresses. If your browsers have WebRTC leaks, they could compromise your IP addresses anyway.

The result? Well, there are many things others can do with your IP address. For example:

  • Your internet service provider can track your online activity.
  • Governments can spy on you.
  • Cybercriminals can access or steal personal data.
  • Advertisers can send you personalized spam.

In short, WebRTC leaks pose big security risks. Not only that, but if you’re using VPNs to change your Netflix region and access georestricted content, WebRTC leaks can interrupt your bingeing sessions. No one wants that.

Know the Difference: Two or more devices can have the same private (local) IP address, but public (real) IP addresses are unique. That’s why concealing your public IP address is key to achieving online privacy.

What Is WebRTC?

To understand how risky WebRTC leaks are, we need to take a step back and talk about WebRTC first. WebRTC stands for Web Real-Time Communication. It’s a free and open-source project that provides web browsers and mobile apps with real-time communication capabilities.1

If you’re a website or app developer, WebRTC makes it easier to build communication solutions. But even if you’re not, WebRTC benefits us, the end-users.

One of the features of WebRTC is that it allows direct communication between browsers or apps without an intermediate server. That translates to faster and less laggy transfers of video, audio, and large files, which is why WebRTC is popular among video chat, livestreaming, and file transfer services. Some of the apps that use WebRTC are:

  • Google Meet and Google Hangouts
  • Facebook Messenger
  • Discord
  • Amazon Chime
Connecting to Surfshark on Windows WebRTC Leak Test
Connecting to Surfshark on Windows WebRTC Leak Test

The Problem With WebRTC

As you can see, WebRTC is not necessarily a bad thing. However, if you want to hide your IP address, there might be a slight problem. You see, any two devices that use WebRTC to communicate need to know each other’s public IP addresses.

This is where WebRTC leaks come in. Third-party actors can exploit WebRTC communication channels to obtain the real IP addresses of the parties involved, which would be a privacy threat. WebRTC leaks can even bypass the encrypted tunnels of some VPNs.

To make matters even worse, the exchange of IP addresses between two devices is a part of WebRTC’s basic functionality; it’s not something you can disable or skip. So how can we protect ourselves from WebRTC leaks? There are two options:

  • Find and block WebRTC leaks
  • Disable WebRTC on your browser entirely

How to Check for WebRTC Leaks

It’s pretty easy to check your browsers for WebRTC leaks.

  1. First, find out and write down your device’s public IP address. If you need instructions on finding your IP address, check out these how-to guides:
  2. Next, use the WebRTC leak test tool on ExpressVPN’s website.2
  3. If the IP address on the leak test tool matches your device’s IP address, then your browser might be leaking your IP address via WebRTC.

Remember that WebRTC is a browser feature, so if you use different browsers, be sure to test them all.

Note: Firefox, Google Chrome, Opera, and Microsoft Edge are most vulnerable to WebRTC leaks because these browsers default to WebRTC.

NordVPN connected
NordVPN connected

How to Block WebRTC Leaks

Now, if your browser is leaking your IP address via WebRTC, you need to block the leak immediately. You can do that by using VPNs. Yes, we know, we said earlier that WebRTC leaks can bypass some VPNs, but only because not all VPNs pay attention to this type of leak. That's why, when we're testing VPNs, we always perform WebRTC leak tests on them. For example, all the best VPNs in our book passed the WebRTC leak test. That means they allow WebRTC to function, but only through their encrypted tunnels. That way, outsiders and third parties can't exploit WebRTC communication channels to obtain IP addresses. To check if your VPN is capable of blocking WebRTC leaks, here's what you should do.

How to Block WebRTC Leaks with a VPN

  1. Disable your VPN.
  2. Find and note your device's public IP address.
  3. Turn your VPN back on.
  4. Open your browser to ExpressVPN's WebRTC leak test tool.
  5. If it's showing your device's real IP address from step two, then there is a leak. If it's showing a different IP address, then your VPN works.

If you find out that your VPN isn’t doing anything to prevent WebRTC leaks, you can contact your VPN provider and cancel your VPN service, switch to a new VPN, or proceed to the most surefire solution for WebRTC leaks: disabling WebRTC altogether.

Pro Tip: WebRTC leaks are one of the things we check when testing VPNs. Learn more about how we choose VPNs in our VPN guide.

How to Disable WebRTC

Before you disable WebRTC, keep in mind that doing so will prevent you from using the functionalities that come with it. That’s why we recommend trying VPNs first. VPNs will let you use WebRTC services but in a more secure way. If you’re sure you want to disable WebRTC, though, here’s how to do it.

Chrome

Fun fact: Google is one of the major supporters of the WebRTC project, and as such, there is no way to disable WebRTC on Chrome permanently. That’s unfortunate; however, there are browser extensions that will let you manage or disable WebRTC temporarily.

  • WebRTC Network Limiter: This Google-made add-on doesn’t turn off WebRTC, but it reconfigures WebRTC’s traffic routing options. One of the things it does is that it requires WebRTC traffic to go through proxy servers, making it harder for anyone to steal IP addresses.3 This is similar to what the best VPNs for Chrome do, but instead of encrypted tunnels, the WebRTC Network Limiter uses proxy servers.
  • WebRTC Control: This simple browser extension lets you turn WebRTC on and off. When WebRTC Control is on, your Chrome browser will stop using WebRTC.
  • WebRTC Leak Prevent: Similar to the WebRTC Network Limiter, this extension prevents WebRTC leaks by controlling hidden WebRTC privacy settings and routing options.
  • WebRTC Protect – Protect IP Leak: By default, this browser extension disables WebRTC. However, you can configure it to let you keep using WebRTC. If you do, it will control your WebRTC routing options, kind of like WebRTC Network Limiter.

Safari

Safari is stricter than most browsers in terms of handling users’ privacy. Some might even say that you don’t need to turn off WebRTC at all, and that all you need is a good VPN for Safari. However, if you want absolute peace of mind, you can turn off WebRTC in a few simple steps:

  1. Open Safari.
  2. Click Safari on the menu bar.
  3. Click Preferences.
  4. In the Settings window that pops up, go to the Advanced tab.
  5. Scroll down and tick the checkbox that says Show Develop Menu In Menu Bar.
  6. Close the Settings window.
  7. Click the Develop button on the menu bar.
  8. Select Experimental Features.
  9. Click Remove Legacy WebRTC API.

Take note that disabling WebRTC on Safari affects only the current session. Once you close and re-open the browser, WebRTC will turn back on.

Firefox

Like Google, Mozilla Firefox is a heavy supporter of WebRTC. If VPNs for Firefox can’t prevent WebRTC leaks, you can turn off WebRTC entirely by following these steps:

  1. Open Firefox.
  2. Type about:config into the address bar.
  3. Click I Accept The Risk!
  4. Type media.peerconnection.enabled into the search bar.
  5. Double-click the result to change the value from True to False.

Edge

Lastly, here’s how to disable WebRTC on Microsoft Edge:

  1. Open Edge.
  2. Type edge://flags into the address bar.
  3. Hit Enter.
  4. Look for Anonymize Local IPs Exposed By WebRTC.
  5. Click the drop-down menu next to it and select Enable.
  6. Edge will prompt you to restart the browser for the new settings to take effect.
  7. Close and then reopen Edge.

What About Device IDs?

Although the main issue with WebRTC leaks is the leakage of IP addresses, third parties can also use WebRTC to obtain some information about the media devices on your computer. These are your microphones, cameras, audio output, CD players, and others. For example, if you go to the Browser Leaks website,4 which is another website that can detect WebRTC leaks, you can see what types of media devices are on your computer.

Fortunately, browsers don’t allow third parties to obtain device IDs, which are unique 16-digit codes specific to media devices. However, third parties can still see what types of media devices you have, as well as the hashes that your browser generates in place of device IDs.

And since these browser-generated hashes change only when you clear your browsing data, it could only be a matter of time until someone figures out a way to use that information against you. The good news is, blocking WebRTC leaks, either by using VPNs or disabling WebRTC, prevents these pieces of information from leaking.

Recap

Despite all the good things WebRTC brings — faster livestreaming, less laggy video communication, smoother file transfers — we can’t ignore the threat that its leaks pose to our privacy. As we always say, privacy is everything and we can never be too secure online. While we wait for WebRTC developers to come up with solutions for WebRTC leaks, our best bets for now are to use reliable VPNs or to disable WebRTC entirely.

FAQs

To sum everything up, let's answer some FAQs about WebRTC and WebRTC leaks.

  • How do I fix WebRTC leaks?

    You can fix WebRTC leaks by either using a VPN that blocks WebRTC leaks or disabling WebRTC on your browsers entirely. The former is the best solution if you want to enjoy all the functionalities that come with WebRTC, but with better security. VPNs that block WebRTC leaks allow WebRTC to work on your browser, but only through encrypted tunnels. That prevents anyone from stealing your IP address by exploiting WebRTC communications.

  • How do I stop WebRTC from leaking in Chrome?

    To stop WebRTC from leaking in Chrome, you can use a VPN whenever you use Chrome. VPNs route WebRTC communications through encrypted tunnels, preventing WebRTC leaks. You can also use Chrome extensions like WebRTC Network Limiter, which reconfigures the routing options of WebRTC to make them more secure, or WebRTC Control to turn WebRTC on and off at will.

  • Should I turn off WebRTC?

    That depends. You shouldn’t turn off WebRTC on your browser if you use websites or services that rely on WebRTC, like Google Hangouts, Google Meets, or Facebook Messenger. However, if the services you use don’t use WebRTC, turning off the feature prevents WebRTC leaks entirely.

  • How do I know if WebRTC is leaking?

    You can find out if WebRTC is leaking by following these simple steps:

    1. Find and note your device’s public IP address.
    2. Go to ExpressVPN’s WebRTC leak test website or any online tool that detects WebRTC leaks.
    3. If your public IP address matches the IP address on the website, then your WebRTC is leaking.
Citations
  1. WebRTC.org. (2021). Real-time communication for the web.
    webrtc.org/

  2. ExpressVPN. (2021). WebRTC Leak Test.
    expressvpn.com/webrtc-leak-test

  3. Chrome Store. (2021). WebRTC Network Limiter.
    chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en

  4. BrowserLeaks.com. (2021). WebRTC Leak Test.
    browserleaks.com/webrtc