Firefox Vulnerability: Check your own sytem.
I found out last night that Firefox leaks internal data to the internet. I always thought Firefox is about security, but somehow Firefox ships default with the WebRTC leak vulnerability. I have 69.0 installed. Visit this site. Do you see your INTERNAL IP ADDRESS listed. "https://www.whatismyip.com/" If so then Firefox is compromising your safety by means of WebRTC leak.
Here is the possible hacks that can use Firefox and WebRTC and the solutions how to fix it. "https://restoreprivacy.com/webrtc-leaks/"
I installed 69.0 on 15 September 2019 long after it was reportedly fixed according to (https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/). It STILL has the vulnerability on my 69.0 installed straight from mozilla.
Better to check if you have the vulnerability. Firefox really should take security much more serious if the advertise constantly that they are all about security.
Confirm by reply if your internal IP shows up.
All Replies (11)
See also:
- WebRTC Leak Shield https://addons.mozilla.org/firefox/addon/webrtc-leak-shield/
about:config in URL field followed by search for media.peerconnection.enabled. Set it to false.
Safer than an addon.
Setting media.peerconnection.enabled = false disables WebRTC entirely, so there is no way that a website can misuse it. This also means that you won't be able to use services that use WebRTC if you would ever come across this. You would have to remember to redo this in case you create a new profile or use therefresh feature in Firefox.
Here is probably a better test "https://browserleaks.com/webrtc"
cor-el said
Setting media.peerconnection.enabled = false disables WebRTC entirely, so there is no way that a website can misuse it. This also means that you won't be able to use services that use WebRTC if you would ever come across this. You would have to remember to redo this in case you create a new profile or use therefresh feature in Firefox.
I cannot see why I should use a Vulnerability as an application. The entire WebRTC is a critical flaw it seems. I just switch it off and dont have intrusion scares.
Reported back in 2015 "In January 2015, TorrentFreak reported a serious security flaw in browsers that support WebRTC, saying that it compromised the security of VPN tunnels, by exposing the true IP address of a user.[34] The IP address read requests are not visible in the browser's developer console, and they are not blocked by most ad blocking/privacy/security add-ons, enabling online tracking by advertisers and other entities despite precautions[35] (however the uBlock Origin add-on can fix this problem).[36]"
and today 29 september 2019 we still have the Security Flaw in firefox using it ..!! ?? definitely do not install confidence in firefox's security claims.
It is my opinion to just wait until they eventually give up or fix it, whichever comes first. For now it is best to just switch it off, unless there is very good reason to do so. In that case Firefox should be run in a secure container. The entire WebRTC thing just doesnt make sense currently.
Firefox should have it DEFAULT OFF as it is a big risk to the user shippping Firefox with a known vulnerability. The few people that really need it can switch it on.
Modified
I just checked. All my android tabs, iphones and other pcs running firefox all had the same vulnerability.
Firefox needs to ship webRTC default off. Most users 90+% would never even know about this or be able to fix it. It is utterly irresponsible for firefox to ship firefox with media.peerconnection.enabled TRUE
This is just advertising to get hacked enabled by firefox.
Modified
nice pick, i was not aware of this fact and now i really think that its better to check if you have the vulnerability or not. Firefox really should take security much more seriously. is this vulnerability also affects the websites we open in FF, i really want to know about this in detail, recently my site was infected with a wordpress malware redirect and i think this may be the culprit.
larsonreever, Basically it is probably one of the first thing malicious sites check. Firefox out of the box as it currently stands, passes on your public IP address and your INTERNAL IP address by means of webRTC. This is serious. In addition your microphone and media Device ID's are also ,made available to any website that is interested. Although the addresses could be hashed and unusable, the Ip addresses plus available audio device ID's can be used pretty easily not only for tracking, but clearly also possible for hacking. What is the point you have a very good stealth firewall, when this security bug just passes on your internal and public address straight to any interested website. It is my opinion it is the basis of a lot of browser based intrusions.
I caught this as I am constantly monitoring lan & wan traffic packages to and from my firewall and it picked up my internal address inside a package which lead me after some time to firefox being the culprit.
I would not at all be surprised if your trouble you listed is due to this. This flaw combined with e.g. FF ESR can create a lot of trouble if flash is enabled in ESR etc. There is a lot of info a cracker can get when you just by accident visiting an infected site, while the webRTC flaw is active in Firefox. Once the internal IP address is known to a cracker, it is easy to attack by that address , no guessing necessary or to access microphones and audio/media devices.
Not even powerful intrusion tools such as NMAP can obtain your interal ip address and media device IDs. This is very serious in my opinion.
Also remember to stop the microphone device ID leaks etc by doing the following.
To put an end to your microphones and other audio devices details to be visible on the internet (go figure !!) Go to about:config search for media.navigator.enabled and set it to FALSE namely media.navigator.enabled to FALSE
Modified
You may be interested in this :
(make sure to read the whole article, please)
zimbodel said
larsonreever, Basically it is probably one of the first thing malicious sites check. Firefox out of the box as it currently stands, passes on your public IP address and your INTERNAL IP address by means of webRTC. This is serious. In addition your microphone and media Device ID's are also ,made available to any website that is interested. Although the addresses could be hashed and unusable, the Ip addresses plus available audio device ID's can be used pretty easily not only for tracking, but clearly also possible for hacking. What is the point you have a very good stealth firewall, when this security bug just passes on your internal and public address straight to any interested website. It is my opinion it is the basis of a lot of browser based intrusions. I caught this as I am constantly monitoring lan & wan traffic packages to and from my firewall and it picked up my internal address inside a package which lead me after some time to firefox being the culprit. I would not at all be surprised if your trouble you listed is due to this. This flaw combined with e.g. FF ESR can create a lot of trouble if flash is enabled in ESR etc. There is a lot of info a cracker can get when you just by accident visiting an infected site, while the webRTC flaw is active in Firefox. Once the internal IP address is known to a cracker, it is easy to attack by that address , no guessing necessary or to access microphones and audio/media devices. Not even powerful intrusion tools such as NMAP can obtain your interal ip address and media device IDs. This is very serious in my opinion. Also remember to stop the microphone device ID leaks etc by doing the following. To put an end to your microphones and other audio devices details to be visible on the internet (go figure !!) Go to about:config search for media.navigator.enabled and set it to FALSE namely media.navigator.enabled to FALSE
Thanks for the details, there were really insightful. I successfully enabled the media.navigator.enabled to FALSE though.
McCoy said
You may be interested in this : https://blog.mozilla.org/blog/2019/09/10/firefoxs-test-pilot-program-returns-with-firefox-private-network-beta/ (make sure to read the whole article, please)
I honestly dont see the point, but thanks for the info. I received questionaires about VPN about 1/2 a year ago, and it now from this link seems firefox want to ship with a vpn in future. Thats not going to end well. We most probably will have to use firefox's future VPN if we want to use firefox at all in future if I understand correctly. So we have no choice about which vpn to use. This wont work. Its not transparent and void of choice.
If this is going to be any bit as disasterous as the DOH initiative where we are forced to use cloudfare as our DNS provider, which is dubous to boot, then I think it goes into the direction of firefox painitng itself into a corner. One option for DNS ..cloudfare. one option for transactions firefox's mystery vpn.
A browser is only safe if I can choose and construct my safety from a selection of competing services. The number of options "1" is always a liability in these matters. Its called a pigeon hole, and this trend seemingly moves towards pigeonholing the users. It is ok if we can absolutely trust Firefoxs VPN, but who owns it and most importantly, who controls it? We will probably never know.