Mozilla Firefox leaks original IP and further information on your local network regardless of proxy/VPN use

Call for action: Please publish your experience with this leak on twitter #webRTCipleak to stop this threat to privacy and endorse the priority to fix it on browser level!

Solution:
browser MUST allways ask user-consent before reaching a STUN server WITH a notice that this will demask VPN/Proxy use.


Please note: Tor-Browser (FF ESR 24.4 with Tor-config) and browsers with JonDoFox-configs are NOT affected!


emergency fix for users at end of page
history

Find below the IPs unveiled to any website with 50 loc javascript if using actual FireFox-Browsers v24 - v28 with default config
this script performs five rounds to get all information: obviously the STUN server resolving the PC address sometimes get differing results.




firefox28: emergency fix

ff open "about:config" from addressline
proceed at the prompt
search "media.peerconnection.enable"
change (dblClck on lne) from "true" to "false"
check at this side, if issue is solved & close "about:config"

proposed long term solution of the problem

browser MUST allways ask user-consent before reaching a STUN server WITH a notice that this will demask VPN/Proxy use.




history

March, 29, 2014 discovered problem & published via twitter (after repeated tweets to @firefox with no reply)

March, 29, 2014 mail to firefox.security

March, 29-30, 2014 mail to bsi.bund.de, heise security, the guardian project

March, 29-30, 2014 firefox assigned https://bugzilla.mozilla.org/show_bug.cgi?id=959893 priority:normal ??

March, 30, 2014 Chromium has some similar problem in particular regarding some network/local network information (see note below):

March, 31, 2014 Learned from the JonDonym makers that the problem is known since FF24 and another testpage exists here:


TEN MONTH LATER
January, 31, 2015 The very same VPN/IP leak issue made public by an american coder raised much more interest by twitter and web magazines: https://diafygi.github.io/webrtc-ips/
LEARN: You need to be american to get heard ??



note on chromium (via Knoppix 7.1): my VPN is working here at part. chromium shows IP information that might be my VPN entry-point-IP and port. if so, it would be enough to deanonymize me with the help of my provider. I've got tweets from others, who stated Chrome/Chromium had displayed their original IP (demasked the VPN) alike Firefox does. But i could no reproduce this so far. No Fix for Chrome

Twitter: @vitalyenbroder #webRTCipleak