WebRTC Leak
IntermediateA browser flaw where WebRTC's connection machinery reveals your real IP address even while a VPN or proxy is active.
In depth
A WebRTC leak exposes your true IP address through the browser's real-time communication API — the machinery behind in-browser video calls and peer-to-peer transfers. The cruel part: it can happen while your VPN or proxy is working perfectly, because the leak uses a side channel the tunnel doesn't cover.
The mechanism
WebRTC connects users directly to each other, so it must discover every address a peer might be reachable at. It uses ICE and STUN: the browser asks a STUN server "what addresses do you see for me?" and gathers candidates — local network IPs and your public IP among them. Any webpage can trigger this with a few lines of JavaScript, no call interface visible, and read the candidate list. If the browser queries outside the tunnel or reports interface addresses directly, your real IP lands in a script-readable list on a page you thought you were visiting anonymously.
Who's exposed and what to do
- Proxy users are the most vulnerable: browser proxy settings often don't cover WebRTC's UDP traffic at all — this is a classic antidetect-browser test, and good ones mask or align WebRTC addresses per profile.
- VPN users are safer but not immune: quality VPN apps block or route WebRTC traffic; misconfigurations and browser quirks still slip through.
- Fixes: use your VPN's leak protection, disable WebRTC where acceptable (it breaks video calls), or use browser settings/extensions that restrict candidate gathering to the tunnel interface.
Test it, don't assume
Run a WebRTC leak test with your VPN or proxy active. If any listed candidate shows your real public IP, every site you visit can read it too — fix the leak before doing anything identity-sensitive.
Examples
- A proxy user passes an IP-check page but a WebRTC test reveals their real home address in the ICE candidates.
- An antidetect browser reports WebRTC addresses matching each profile's proxy, passing the consistency check.
- A leak-test page shows a VPN user's tunnel IP only — their app is correctly routing STUN traffic.
Common use cases
FAQs
Open a WebRTC leak-test page while your VPN or proxy is active and read the gathered candidates. Seeing only your VPN/proxy IP is a pass; your real public IP appearing anywhere is a fail that needs fixing before sensitive use.
If you never make browser video calls, disabling it is the bluntest reliable fix — Firefox allows it natively, Chromium needs extensions or policies. Otherwise use a VPN with WebRTC leak protection or settings that bind WebRTC to the tunnel.
A VPN captures traffic at the system level, so STUN queries ride the tunnel by default. Browser proxy settings only cover ordinary web requests — WebRTC's UDP machinery goes around them unless the browser explicitly masks it, which is what antidetect browsers do.