You writing: "This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.). "

Try to check NoScript Plugin ;)

Is this mitigated by using Tor? Or does WebRTC expose this information regardless?

I can't seem to use a return statement to put it in a variable

function addIP(ip) {
return ip
}

var ip = findIP(addIP);

doesn't return the ip

Otherwise it would got a ".local" ip

The code doesn't work on Mobile, or at least it doesn't return anything. It would be better if there's a way to return a default value, whenever no IP should be returned.

Example (I marked my changed lines):

        function getIPs(defaultIp, callback) {        // <<<<<<<<<<<<<<
            var callbackCalled = false;               // <<<<<<<<<<<<<<
            var ip_dups = {};
            //compatibility for firefox and chrome
            var RTCPeerConnection = window.RTCPeerConnection
                || window.mozRTCPeerConnection
                || window.webkitRTCPeerConnection;
            var useWebKit = !!window.webkitRTCPeerConnection;
            
            //bypass naive webrtc blocking using an iframe
            if (!RTCPeerConnection) {
            
                //NOTE: you need to have an iframe in the page right above the script tag
                //
                //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
                //<script>...getIPs called in here...
                //
                var win = iframe.contentWindow;
                RTCPeerConnection = win.RTCPeerConnection
                    || win.mozRTCPeerConnection
                    || win.webkitRTCPeerConnection;
                useWebKit = !!win.webkitRTCPeerConnection;
            }
            
            //minimal requirements for data connection
            var mediaConstraints = {
                optional: [{RtpDataChannels: true}]
            };
            var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
            //construct a new RTCPeerConnection
            var pc = new RTCPeerConnection(servers, mediaConstraints);
            
            function handleCandidate(candidate) {
                //match just the IP address
                var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
                var ip_addr = ip_regex.exec(candidate)[1];
                //remove duplicates
                if (ip_dups[ip_addr] === undefined) {
                    callbackCalled = true;       // <<<<<<<<<<<<<<
                    callback(ip_addr);
                }
                ip_dups[ip_addr] = true;
            }
            //listen for candidate events
            pc.onicecandidate = function (ice) {
                //skip non-candidate events
                if (ice.candidate){
                    handleCandidate(ice.candidate.candidate);
                }
            };
            
            //create a bogus data channel
            pc.createDataChannel("");
            //create an offer sdp
            pc.createOffer(function (result) {
                //trigger the stun server request
                pc.setLocalDescription(result, function () {
                }, function () {
                });
            }, function () {
            });
            //wait for a while to let everything done
            setTimeout(function (defaultIp) {      // <<<<<<<<<<<<<<
                //read candidate info from local description
                var lines = pc.localDescription.sdp.split('\n');
                lines.forEach(function (line) {
                    if (line.indexOf('a=candidate:') === 0){
                        handleCandidate(line);
                    }
                });
                // if no callback was sent
                if(callbackCalled === false){  // <<<<<<<<<<<<<<
                    callback(defaultIp);       // <<<<<<<<<<<<<<
                }
            }, 1000);

        }

// usage:
getIPs('0.0.0.0', function (ip) {...}

I got error in firebug like this.

Error: RTCPeerConnection constructor passed invalid RTCConfiguration - missing url

var pc = new RTCPeerConnection(servers, mediaConstraints);

What do you think about publishing this functionality to npmjs package manager?

I open the browser to view “https://diafygi.github.io/webrtc-ips/” on telephone，the correct IP address can be obtained by the first run .
But when the real net environment has changed , real ip has changed ( it is easy to change network environment on mobile phone ). I refresh the browser , only can get the old IP address , not the latest one .

How to refresh the WebRTC Connection? I set RTCPeerConnection .close when I got IP，but it doesnot work.
Please help me. Thank you very much!

Hi,

The developer console is blank when I load the demo. It also doesn't return any IPs. Firefox returns both the local and external IPs (disturbing!).

Do you know if Chrome fixed this in some way? Can anyone else with a recent Chrome confirm similar behavior?

Thank you,
Teran

Bug in demo with sdp

Uncaught TypeError: Cannot read property 'sdp' of null at (index):94

Hi, On my mac, safari's latest version, it's not working.

Has anyone found an alternative .?

what about ipv6?

I have run demo in Opera and nothing shows.
I pasted the java script into developer console...nothing happens.

Just to let you know: I am using Opera VPN and it gives me a Canadian IP address via Surfeasy, and IP address location of Washington DC. If I use Yahoo, it gives me ca.yahoo.com.
I am also using the WebRTC Leak Prevent extension.

When I do a search for house prices, it comes up with California Bay Area information. That is where I am. If Opera is using Surfeasy in Canada, and gives an IP in DC, why are my searches coming up local?

Let's see what browser vendors think?
https://bugzilla.mozilla.org/show_bug.cgi?id=1126187

var win = iframe.contentWindow;

should probably be

var win = document.getElementById('iframe').contentWindow;

since iframe is not defined.

Hi,

On the Demo Page @ https://diafygi.github.io/webrtc-ips/

"These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.)."

That's not really true anymore. The and part. ;)

WebRTC Leak Prevent: https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?utm_source=chrome-app-launcher-info-dialog

Perhaps add a note about it.

Thanks,

Will

I have looked up the the link provided above. But it could not return any IP address.

Demo: https://diafygi.github.io/webrtc-ips/

Tested on Safari 10 (mac OS 10.12.3), Chrome (Mac OS), Chrome (Linux/GNU)

The demo page states:

"These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.). "

This is slightly misleading because NoScript will of course block them until JavaScript is permitted.

I saw the code

        servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);

however, my network never connected with internet. How to use in local network. thank you.

Hi.
I got critical error "ICE failed, see about:webrtc for more details" on your script, even on your demo page.
I have Windows 7, Firefox 39.

Hi there,

I came to ur lib trough Google, first searching searching for HTML5 video player which can play remote video file. So it came to my mind to search something related to WebRTC.

I am not sure what is ur lib doing exactly, but I think it can be use for me in two ways.

Can this be used in case that you are playing video in player using remote video file, from other server. For example, I am hotlinking Tumblr video file, but I don't wanna show my server IP in their logs. So instead it will show exactly users IP.

You said This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

Can you give more details how this an be used in tracking and advertising. I am building ad server as well and would like to know if I can have use for it.

Tnx

The demo does not seem to display public IP and IPv4/IPv6. It only displays local IP. When I looked into the code, came across if conditions and RegEx. This will eventually end up showing one IP at a time. Not much of use.
I am looking for a way to find users public as well as local IP.

uBlock Origin has an option to prevent WebRTC from leaking your private IP: https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address.

I can confirm that version of uBlock Origin successfully prevents my private IP from showing on your demo.

Try:
var ip_regex = /([0-9]{1,3}(.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{0,4}){2,7})/

when you try to select from the menu "IP handling policy" only available "Use the default public interface only" other choices are not visible

NoScript blocks it...

Can anyone please guide me how to get the ip from a IOS device ?

A VPN provider released their own Chrome extension which now blocks webrtc leaks. Not sure how easy to circumvent though.

Extension

Confirmed blocking in demos here & here.