WebRTC May Be Leaking Your IP
This is an important message for users of TunnelBear on Windows, Mac OS X or Android who use the Chrome or Firefox browsers. iOS users are not affected in any way.
What is WebRTC?
WebRTC is a browser feature drafted by the World Wide Web Consortium that supports browser-to-browser applications such as voice calling, video chat, and P2P file sharing.
What’s the problem?
On January 29th 2015, it was revealed that with minimal effort, a website owner could exploit WebRTC to capture your actual IP despite being a user being connected with a VPN like TunnelBear.
What should I do?
The TunnelBear team has implemented some changes to the latest versions of our apps (including the browser extension) that protects users from leaking their real IP. Make sure you have the latest version of the app or browser extension installed to ensure you’re fully protected!
When TunnelBear is active it now automatically ‘tunnels’ all WebRTC data. This means that WebRTC doesn’t have to be completely disabled to prevent leaks (which is useful if you use web apps that require WebRTC, such as voice calling or video chat web apps).
How can I check if the changes are working?
- With TunnelBear turned OFF, visit https://diafygi.github.io/webrtc-ips/
- Notice that your actual public IP is visible, along with a local IP address (usually assigned to you by your router)
- Turn TunnelBear ON and refresh the page
- Notice that your public IP is now a TunnelBear server IP and the local IP address is a completely new IP address. In fact, the local IP you’re now seeing is an IP address on the TunnelBear network (so nothing unique to you or can point back to you in any way)