ungoogled-chromium
ungoogled-chromium copied to clipboard
ungoogled-software
WebRTC still leaks the local IP of users
Describe the bug
Apparently the #enable-webrtc-hide-local-ips-with-mdns flag has no effect on this version, as the browser would ignore it (whether default or enabled) and still leak the local IP address even though the Chromium fix already rolled out
, now I don't know if I'm doing something wrong but https://browserleaks.com/webrtc still shows my local IP when it doesn't on Chrome v95.0.4638.69 or Edge v95.0.1020.40.
To Reproduce Steps to reproduce the behavior:
- Go to https://browserleaks.com/webrtc or https://tenta.com/test/
- Check local IP Address field
Expected behavior Should be N/A on https://browserleaks.com/webrtc or XXXXXXX.local on https://tenta.com/test/
Screenshots If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
- OS/Platform and version: Windows 10 21H1 x64 19043
- ungoogled-chromium version: 95.0.4638.69
Additional context While there may be ways to disable WebRTC and prevent the issue altogether, it is not the default and since Chromium has already implemented the fix, other extensions like uBlock Origin also removed their workarounds to prevent leaks (as can be seen in uBlockOrigin/uBlock-issues#1723). The combination of the user's real IP address and the local one can pose serious and dangerous security issues if exploited properly, and right now Chromium's official fix doesn't seem to be effective on this browser, nor does the flag work.
This is because ungoogled-chromium is built with mDNS disabled.
Interestingly it seems that uBlock Origin only removed the setting and not the code it enables since my existing profile's uBO is still blocking the local IP.
I have a simple patch that fixes this and I'll submit a PR soon once I've done a little more testing with it enabled.
I'm about to submit an issue like this, but since @i1u5 already brought it up. here you go :D
Was the mDNS patch from #1750 ever added? It's closed but kind of trails off into nothing, and local IPs are still leaking on 97.0.4692.71-1.
See https://github.com/Eloston/ungoogled-chromium/pull/1764#issuecomment-988877205
I haven't had a chance to work with this since then. I initially thought that the setting should be set up as a flag like most of the other options, but that would require a browser restart when switching so I think it might be better as-is. I'll test to make sure everything works correctly one of the next weekends and hopefully have a PR up after 98 lands.
I found an odd bug within chrome://settings/security that relates to this patch. It is the line of code {html_template} under the word Advanced. I have attached the image below to display what it looks like as well as another to show what the inspector tags it as.
Additionally, my local ip address still leaks with chrome://flags/#enable-webrtc-hide-local-ips-with-mdns set to enabled.
I'm running @kramred release 100.0.4896.88-1.1_x86-64__1649847004 macOS ungoogled-chromium binary.
Yes, I can reproduce that - both on macOS and Linux.
I had already included these patches from PR#1845 into my v100 branch but not tested if it actually works.
The patches still seem to be the same as in the current Hexavalent repo.
This will need some troubleshooting/testing, which I probably won't be able to do in the short term. Maybe cross-posting this to the Hexavalent repo might help?
Edit: I just realised that I had not used the updated PR - that's why the drop-down menu did not show up. The updated PR#1845 is equivalent to the current patches from Hexavalent. A new revision for macOS includes the current version; builds on GitHub Actions are running and should include the drop-down menu for the WebRTC IP Handling Policy.
The local IP is still leaked. Version 113.0.5672.126 (Official Build, ungoogled-chromium) (64-bit)
