WebRTC leak in SafeZone Browser

[mchain]

Used ipleak.net to detect.

WebRTC is displaying internal network ip's using SafeZone Browser.  Is there a fix or add-on that can be installed?  See attached.

[DavidR]

I could well be wrong as I don't use the SafeZone Browser so I don't know if this really is an issue, I base this comment on the text in your image:

"IPv6 test not reachable"
and
"If you are now connected to a VPN and you and you see your ISP IP, then your system is leaking WebRTC requests"

I don't see an ISP IP address in your image only the local IP address, but the SafeZone Browser isn't a VPN ?

[mchain]

Any misunderstanding is entirely my fault.

Snipped image re external ISP ip was not snipped for privacy reasons.

No, the avast SafeZone Browser is not a VPN, merely a browser using Chromium code and maintained by Avast.

IPv6 not reachable is due to router settings set to reach IPv6 addresses via tunneling alone, enabling direct IPv6 will result in avast network code alerts when network inspector is run.

• Not running SafeZone Browser in a VPN environment in the first post.
• Snip is the actual WebRTC leak displayed; network ip's displayed in the attachment below above are from the internal home network and are not the actual ISP ip assigned to the home router, which is set to dynamic.
• Actual ISP ip (IPv4) is listed above the found WebRTC leak.  You will see your ISP ip when you run the ipleak.net site in your browser.
• Since the browser used is forward-facing, the found private information can be discoverable for malicious purposes as the browser is connecting to system(s) outside the private home network.

So, the test is specifically for browsers connecting via a VPN, but also can be used for those not connecting via a VPN.  Either way, in either mode, WebRTC leak should not occur if the browser is configured properly.  WebRTC leak shows independently of VPN or non-VPN environment.

Running avast SafeZone Browser version 3.55.2393.596.

Additional testing done today:

• Running SafeZone Browser in Bank Mode will result in the same WebRTC leak as in standard desktop environment.
• Running SafeZone Browser in avast VPN will also result in a WebroRTC leak, but shows the actual avast VPN ip (100.100.48.17) instead of the system ip shown in the first attachment above.

Obviously, SafeZone Browser will behave the same way outside of Bank Mode whether in VPN or not.
Just so you know, Opera browser also shows the same vulnerability whether running in VPN or outside VPN, as it also allows WebRTC to run and display.

Hope this clarifies things for you.

[DavidR]

It is a little clearer, now that you mention you can also run it without actually using a VPN to see if WebRTC is run.

[mchain]

Shoot, I was hoping it would be a lot clearer.   

Anyways, I don't think SafeZone browser should be doing this?  Either in standard desktop or Bank Mode?

If you are leery of running ipleak.net in your browser, you can do so safely via Sandboxie program, just so you know.  Set the sandbox to automatically delete on browser close.  As long as you run sandboxie, the real browser will be unchanged.  You can do things like change/disable NoScript without making permanent changes to the real browser.

[EDIT:]  Fix typo.

[DavidR]

The clarity is probably whizzing over the top of my head, having never used used VPN software or the SafeZone Browser. I have never considered them for my browsing habits.

Lots of people are concerned about Internet Privacy, I have taken the position that what I do in the internet is pretty much out there to be harvested, very little privacy. I take alternative measures to protect my system without worrying too much about privacy.

There are many tests that can be run and many that have been posted in the forums, but to actually run these tests, the first thing that I have to do is lower my defences to allow the test to run.

A long time ago I did have sandboxie installed but over time I found I wasn't really using it, so it went the way of other under/un used programs they were uninstalled.

[mchain]

Thank you David.   

Irregardless, many users here think that SafeZone Browser is a good browser, and maybe a secure one, and maybe, for most it is.  Just pointing out a security hole I believe should not be there, especially since it is touted as a more secure browser out-of-the-box than most.

Question raised in the first post still stands:  Is there a fix or add-on available?

[REDACTED]

Hi mchain,

the latest Opera and Avast SZ Browser 3.55.2393.596 have both WebRTC options under their security settings. I actually don't understand why your Opera and SZ still leak your real ISP IP. I tested www.ipleak.net and others with my VPN (Windscribe) and my real IP was hidden. Have you used these options?

Kind regards
M2M 

[mchain]

Thank you for pointing me in a direction to resolve the WebRTC issues in both SafeZone Browser and Opera.

See attached below for setting changes that can be made to both, since both are Chromium browsers, changes made are similar:

Basically, there is no user guide to show such settings that I could find, I had to open 'Settings' in both browsers and type in webrtc in the search settings field to get available options.  I could not find webrtc settings elsewhere in either settings configuration field, and I looked more than once.

• In Avast, it was necessary to tick the 'Show Advanced Options' box to make changes needed.

I found that making these changes is not intuitive for the average user in any case.