Brave iOS 1.5.5 - Private IP Leak via WebRTC while on VPN

bug

#1

This has been an UNRESOLVED BUG with Brave for an UNACCEPTABLY LONG period of time, especially for a “privacy oriented browser”.

Happens/ed with Brave iOS 1.5.5 and earlier on iPad Pro and iPhone 6s running iOS 11.2.5, 11.2.6 and 11.3.

While on a VPN, Brave is LEAKING MY IP via WebRTC (see attached). 67.x is my home IP and 173.x is my VPNs IP. Brave SHOULD ONLY BE SHOWING MY VPNs IP ie 173.x.

All shields are enabled except script blocking (see attached).

The following browsers ARE NOT LEAKING my private IP VIA WEBRTC with javascript/scripts enabled. This is a PROBLEM WITH BRAVE.

You can check at https://ipx.ac

Safari no leak, shows vpn IP
Firefox Focus no leak, shows vpn IP
Endless Browser no leak, shows vpn IP

FINALLY FIX IT PLEASE IF YOU CARE ABOUT PRIVACY.


#2

Here are my settings. Private Browsing, block all cookies are enabled. As you can see, script shield is disabled. All the other browsers do not leak private IP with scripts enabled.


#3

Wow. This is serious! I can confirm this bug in the latest Windows version, too!

Brave: 0.22.13
V8: 6.5.254.41
rev: a8cfb160479f1d00d0769368eb440030182bb83b
Muon: 5.1.2
OS Release: 6.3.9600
Update Channel: Release
OS Architecture: x64
OS Platform: Microsoft Windows
Node.js: 7.9.0
Brave Sync: v1.4.2
libchromiumcontent: 65.0.3325.181


#4

Thanks for reporting @sundance,

It’s a known issue and logged here


#6

It’s a major known privacy and security issue. WTH hasnt it been fixed?

Reading the threads out there, it appears brave devs think I this is ”normal behavior”. It isn’t.


#7

It absolutely isn’t, I can +1 that.


#8

@MillenniumFalcon this issue has come up and been closed numerous times but I think this time round it will be fixed as it was brought in a conversation with Brenden and in relation to your specific OS and the desktop platform in general, I think the team have mitigated it quite swiftly with the implementation of Add an option to disable WebRTC in about:preferences which will be in one of x.22.x releases.

However, as @eljuno pointed out it has been logged separately for ios but I was curious @eljuno , shouldn’t the fix on the other platforms effectively make it available sooner or is because coding practices are different and will there be a similar implementation as on the desktop versions?
Perhaps you could ask Joel because he just simply says this will be fixed in 1.6 like the times it was reported in browser-laptop but never properly fixed.

Thanks


#9

STILL LEAKING ON 1.5.6!!! WTH. At this point I think Brave is in bed with big data or advertisers.


#10

@sundance mate. Have a look at this link which was posted earlier by the memebr above WebRTC IP leak using VPN, scrolled down to jhreis 's comment and you’ll notice he says, ‘…This is an iOS 11 + UIWebView only issue. This will be fixed on 1.6.’

Here’s the milestone for ios https://github.com/brave/browser-ios/milestones


#11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.