Despite their purported use to protect user anonymity while browsing the internet, 23% of VPN providers may actually leak user IP addresses, according to a security report from VoidSec.

The issue stems from a bug in the open source WebRTC project. The particular vulnerability, discovered back in 2015, has to do with WebRTC STUN servers, which can record public and private IP addresses in JavaScript. Even worse is that the recorded IP addresses can be disclosed if a certain website already has a WebRTC connection established. Of the 83 VPN apps tested, 17 were found to be leaking information on the IP addresses, according to the report. This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and in the past (TOR users).

Of the VPN providers tested, here are the ones that leaked IP addresses:

  • BolehVPN (USA Only)
  • ChillGlobal (Chrome and Firefox Plugin)
  • Glype (Depends on the configuration)
  • Hola!VPN
  • Hola!VPN Chrome Extension
  • HTTP PROXY navigation in browser that support Web RTC
  • IBVPN Browser Addon
  • PHP Proxy
  • psiphon3 (not leaking if using L2TP/IP)
  • SOCKS Proxy on browsers with Web RTC enabled
  • SumRando Web Proxy
  • TOR as PROXY on browsers with Web RTC enabled
  • Windscribe Addons

According to the post, Brave, Mozilla Firefox, Google Chrome, Google Chrome on Android, Samsung’s browser, Opera, and Vivaldi all have WebRTC enabled by default, the report noted.

To stay anonymous while surfing the internet, it is recommended that users disable WebRTC, JavaScript, and Canvas Rendering. Setting a DNS fallback for each connection and adapter, and killing browser instances before and after each VON connection is also recommended.

Adapted from an article on


Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, IT Service, MAC repair, PC Repair, Virus Removal, and much more.