A new JavaScript code can reveal all your Public and Private IPs to servers you’re accessing. These requests are not stoppable by privacy and adware plugins, such as Ghostery or Adblock.

It’s called a STUN (Session Traversal Utilities for Nat) IP address request for WebRTC (WebRTC is a peer to peer communications protocol allowing an easy browser voice and video communication). They are made outside of the XML/Http request procedure which makes it not even able to be seen in the developer console. These requests allow online tracking if an advertiser has a STUN server set with a wildcard domain. It is used for P2P media chat purposes, but this should be set to false and only prompt a user to enable it when this functionality is needed.

This flaw actually reveals users over VPNs, proxies, and TOR. This is a massive security vulnerability if the user has not taken additional precautions. It can even reveal the VM type based on certain IP ranges (Virtual Box uses 192.168.56.1). The TOR Browser has this feature disabled, and the TOR project recommends turning off JavaScript to avoid many vulnerabilities of this sort.

Currently, this is allowed in Firefox and Chrome through their implementation of WebRTC. So far, it is only possible to disable it in Firefox, while Chrome offers this extension.

To disable the WebRTC functionality, follow these steps on Firefox:

Type “about:config” in a new tab,

Find “media.peerconnection.enabled” and toggle it to false:

Other solutions are to change browsers (like IE or Safari) or to disable JavaScript. You can disable JavaScript by installing an extension such as NoScript.

To test if your browser is vulnerable to this type of attack, you can visit this site https://diafygi.github.io/webrtc-ips/.