Simple Browser Bug Lets Strangers Pinpoint Your Home Network
WebRTC still spills your IP address even behind a VPN, new study warns
WebRTC makes voice and video chat as simple as opening a tab. But its peer-to-peer design also hands over network details that can identify you. A peer-reviewed paper by researchers from Snowpack and Sorbonne Université shows that, in 2025, major desktop browsers on Linux, macOS and Windows still suffer from WebRTC IP leak vulnerabilities - information that can enable DDoS, geolocation, and tracking. Despite best efforts, this is a real risk, happening even when the user is tunneled through a VPN or proxy.
A cross-platform lab puts every major browser to the test
The team built a full test bed with STUN/TURN servers, Wireshark capture and dual-stack clients. They then cycled Firefox, Chrome, Edge, Safari, Opera and Brave through WebRTC “IP-handling” modes 1-4. They repeated the experiment on Ubuntu, macOS and Windows and confirmed that IP leaks occurred in every configuration they tried.
VPNs and proxies fail to hide you
Adding a VPN, although the authors do not specify which implementation, together with SOCKS or HTTP/S proxies did not fix the problem. Firefox’s built-in proxy client, for example, still lets STUN/TURN requests bypass the tunnel. This exposes the real ISP-assigned IPv4 and IPv6 addresses and even tips off observers that a VPN IP leak is in play.
Because many university and enterprise networks route public IPs directly to desktops, the leaked addresses can pinpoint a user’s organization and physical region. The authors note that two French university campuses running exactly this no-NAT architecture can turn a casual video call into a corporate reconnaissance tool.
Stopping the bleed
To plug the hole, the researchers packaged Firefox inside a minimal Docker container. They then forced all traffic, including WebRTC, through a VPN. The containerized Firefox blocked every leak scenario, even when they simulated a compromised browser that ignored user privacy settings.
Benchmarks showed no measurable slowdown on Linux and only modest hits on macOS and Windows, significant only in graphics-heavy tests. This means users generally do not have to trade speed for secrecy.
Why it matters to everyday users
Leaked public IP addresses let adversaries locate you, map your network, and launch targeted denial-of-service attacks. They reveal internal subnets, printers, and IoT devices that can be weaponized in phishing or lateral-movement campaigns. Because WebRTC powers everything from Slack huddles to Google Meet, the risk is not theoretical. Instead, it rides in millions of browser sessions every day.
Practical steps until browsers catch up
For now, users can disable WebRTC or restrict it to “mode 4” where available. However, those settings break many video sites. A more robust workaround is to run your browser inside a VPN-routed container or VM and use WebRTC-aware firewall rules that block outbound STUN/TURN traffic. These help prevent WebRTC leak scenarios.
Developers should adopt mDNS host-candidate masking and lobby browser vendors to proxy ICE traffic through existing transport layers instead of raw UDP.
The road to leak-free real-time chat
The authors argue that browser makers must treat IP privacy like any other personal-data safeguard. This means on by default, impossible for hostile scripts to override, and verifiable by independent audits. Until that redesign materializes, containerization offers a practical WebRTC privacy fix for users who cannot live without WebRTC but refuse to give up their location every time they click “Join with Mic and Camera.”
