Old Firefox Security Issue they seemingly Refuse To Fix

In 2015 webRTC vulnerability has been reported.

Still this day 30 september 2019, Firefox still ships with the vulnerability.
I picked this up checking packets with snort on wan for my local IP address and was shocked to find that the webRTC vulnerability is STILL allowed to continue.

So much for Firefox security. It seemingly is not what they make it out to be.
I checked and it is still on my androids and wherever I run firefox even version 69.0

The test is as follows: See if you see your local IP address when you visit this site.
https://browserleaks.com/webrtc

If so then you have zero anonimity even with VPN.

The fix is
about:config in URL field
followed by search for
media.peerconnection.enabled
Set it to false.

Why on earth do they ship with webRTC on by default ? They know about this, yet refuse to fix.
Most addons dealing with this dont work and if they do it is only for a while before they are bypassed.

I am baffled with Firefox’s brazen disregard for our security. This is a 4 year old bug!

Thanks for this, the test and the fix. A well put together post.

Well, it’s the Internet - might as well be another planet in another galaxy. Moz has become quite snobby and self-important over the years.
I use their 'ware sometimes, but I prevent updates for at least 90 days - I wait for the victim/beta testers to suffer first. Somehow, blocking upgrades failed the other day and a Tbird update came in it now crashes on getting mail, crashes when closing, and crashes when sending a crash report. O Yea - upgrades should be called crashades. They’ve really gone downhill since selling out Netscape. IMO.

Thanks again,

~o~

A post was split to a new topic: More obvious link to privacytools.io from forum

Sharon,
You are spot on. Lol.
It reads like my firerfox life-story lately.

Something really strange happened at FF.

Their behavior is extremely odd when I contact them with bug reports. They just close it saying it is a duplicate of a 2015 bug, but then DONT FIX THE BUG that is still present to this day, that you probably verified yourself. Absolutely crazy ! Somehow the bug is very important to them and they wont close the vulnerability come hell or highwater.

I dont know what is left to use. Brave is a contender, but they sadly moved over to google and that can be equally dubious at this stage.
At least brave ( “https://brave.com/browser-option-a-hpa811/” ) imports your firefox bookmarks etc which firefox now just trashed since 69.0. They say brave was started by a firefox co-creator, but the direction they take moving to google browser engine as platform looks a bit strange.

Unless I use Firefox’s silly i.m.o password gathering sync service I am required since 69.0 to rebuild my bookmarks and password files if I want to upgrade firefox. It usually just read your previous profiles and you have all your bookmarks and passwords.

In addition, with upgrade on Linux, you now are forced to use the “give it all away” sync service.
It doesnt read your previous bookmarks and passwords, although I proved that it can, but they seemingly made it incompatible by design, seemingly trying to force everyone to store their passwords on their sync service.

If you come across another open source browser that can import firefox user data let me know please.

1 Like

To add to my original post:

I forgot to mention that all of a user’s audio media addresses aka (Device IDs) (think equiv to mac addresses for tcpip) is also fed to the internet if you test your browser with “https://browserleaks.com/webrtc"
You will see it listed lower down if you are affected.

To put an end to your microphones and other audio devices details to be visible on the internet (go figure !!)
Go to about:config
search for
media.navigator.enabled
and set it to FALSE namely
media.navigator.enabled to FALSE

If you run the link again you will see that no data about microphones and audio equipment of you system is forwarded by default to the internet.

I think it is mentioned in one of the links but not explicitly as I can remember.
Any case this might stop that gaping risk.
“Media Devices n/a” should appear in the place of all the audio device addresses if the changes were successful.

A 4 year old, humungous security issue that is blatantly ignored up till this date… go figure !

1 Like

btw, disabling webrtc break webrtc functionality. https://en.wikipedia.org/wiki/WebRTC

That the reason why they keep it. There a difference between trying to be the most usable web browser, and being the most private one. Firefox, being a company trying to gain market part with his browser need to find a good middle between those two.
Oh, and btw, what you desactivate with media.navigator is the access to devices like your webcams too. Quite a no-no for those users who want to use their skype for example.

The Navigator.mediaDevices read-only property returns a MediaDevices object, which provides access to connected media input devices like cameras and microphones, as well as screen sharing

If you need true anonymity, you should use instead a web browser which focus only on Privacy, like the Tor Browser.

Middle-private is like almost pregnant. If FF wants the market share, then they should dev a FF that provides total privacy, or share the market with the other shysters. There is no in-between. Even data from cams, mics, GPU, CPU, MoBo - whatever stalker is used to attack privacy, doesn’t mean some privacy is of any value - except for marketing propaganda. IMO.

Tor is getting blocked by so many sites now, it’s losing it’s value. The only place I found Tor is not blocked so much is the media-hyped “Dark Net” “Deep Web” or whatever the kiddie-kewl name is this week. And even then, it’s a circus of scams, shams, shysters, crooks and bums, and peeps and pervs.

Well, anyone using Skype should not expect ANY privacy so your point is???

Why is there even a war on between Privacy and Stalkers? Government and corporations that use the result from stalking know we are fighting it, else why would they keep finding ways to circumvent our desire for privacy? I’m ready to take the gloves off.

Just say’n s’all,
~☍~

Again. My thanks. Alas, history has shown us that whatever tools we come up with to protect our right to privacy; the shysters, creeps, peeps, pervs, stalkers - and other ilk of the real and truly seedier side of the Internet will find a way to follow us around - to monitor what we see, say, and do; in order to record all of that and use it to control what we may see, say, and do. (SMRC = Stalk, Monitor, Record, Control).

If I had the tools, the know-how and ability, I would post a copy of all the CEO and boards of directors, web-masters (oxymoron), and devs of stalkware, what sits they visit, when and for how long and from what location plus same level of personal information they peep from us. But, it’s legal for the Goose to stalk, illegal for the gander. #me.gander.too :slight_smile:

I pray for today’s youth - their future is already planned for them. That isn’t scary. The scary part is, they know it and don’t mind. Maybe because by now, they don’t have a mind.

☍O

We need a new national holiday. SMRC-free day.
.
.

That what i actually meantvto say with your “they are no in-between” for either privacy or compatibility/usueability.
Firefox isn’t going for privacy.
I wanted to point out that those things weren’t an Issue for them.
If your main software philosophy is privacy, then this would be an actual security issue.
But since Firefox isn’t considering that, their main philosophy isn’t privacy.
@zimbodel This isn’t a bug, you either get something already prepared (Like the TOR browser which aim for privacy only) or, you customise it yourself from a “classical browser base”. That why custom configs, custom settings and extensions are suggested on the privacytools.io page. Don’t expect Firefox themselves to “fix this issue”. This is voluntary.

And now, for something completly different.

There is no in-between […] except for marketing propaganda. IMO.

I agree, however, we strive for working ways on passing those issues.
For example, new experimental ways of poisoning or protecting those privacy issues can be limited trough virtualization, like for example how QubeOS does for each of its app containers.
One project i was following for quite while was Sushi-browser, which was mostly a swiss-knife browser. It had different iterations, from beginning as taking Muon (Electron fork that was developed by the Brave Browser team) as a base, than they’ve switched to Chromium.
So, instead of completly porting it to chromium, it developed a way to contain a classic chromium browser, to the Sushi Interface.


There are ways to make it better, of course, but i wanted to present you an experimental method in which this could be done.

But, it’s legal for the Goose to stalk, illegal for the gander.

Playing the devil’s advocate here, but some part of it making it legal is that they manage to make people give up their privacy, either just trought privacy terms that users doesn’t care for themselves, or worse, to actually change their mind at wanting to give up their privacy.
Thankfully, we are on a privacy focused forum. We have decided to not fail to protect our privacy from them.

1 Like

The “devil” doesn’t need any advocates. That’s what Windows 10 is for :slight_smile:

There is nothing “legal” about what ‘they’ have done to our internet, our right to privacy, and the terms they inflict. It’s just that as yet, there is no law against it. :worried:

I asked my anti-virus purveyors why they want a copy of my browsers History - they told me to read their Terms of Use. The ToU doesn’t say why - just that if I want protection, I have to let them peek. Ergo - ‘‘Want a candy little girl - then you’ll have to give us a peek’’.

Tracking AKA stalking, is no different than perverted peeping at our privacy and for what reason? To give us the candy we bought and paid for.

Thank you for your post with the well laid out explanation. I get it now. I just read the forums for the articles - but pictures make it easier :slight_smile:

☍ O
.

To [PoorPockets McNewHold]

I know that it breaks webRTC.
That is not the point.

There is definately much less than 1/1000 users that uses webRTC.
Yet, every firefox user must now give up their internal IP and audio device IDs.
Whats worse, if webRTC is enabled in firefox it even breaks anonimity in VPN !

How on earth can anyone consent to this enormous breach.
Worse is, the general user is not informed that their privacy is completely circumvented.

I believe this is basis for a class-action suit.
Especially in Europe where much less happened to trigger class action suits.

There is nothing wrong with webRTC if the user is informed that it will be switched on and their internal details are exposed to the web.

As it stands now, there is absolutely no warning to the user. People do not even know this happens to them, while data miners like google harvests at will e.g.

Firefox should have webRTC off by default and when needed, inform the user that they should switch it on to use service, and then warn them about privacy.

Very simple, right!?
No, Firefox decides to hush all this up imho wilfully exposing innocent and uninformed users to give up keys to their systems.

I admit that i might have not precised my point clearly the first time.

And i agree and your point of view aswell on their activity, They’ve made their practices common, and shaped the way the web is done.
Doing what they do is illegal, if you didn’t already shaped the laws in your favor, to make it completly applicable for your own profit.

I know from your viewpoint it isnt a software bug. And I agree. It is completely by design, which makes it worse in my opinion…

From my viewpoint and what I meant from a security viewpoint, a “bug” as in law enforcement is a device or insert that circumvents security and passes-through internal priviledged data to compromise the target.
The WebRTC vulnerability checks all the marks.

I meant “bug” as in spying etc.

Here is my opinion on why it is a classical “bug”
Firefox IMO technically allows spying as

  1. They enable the bugging process by not informing the user about the existence of a compromising feature. They are therefore enablers.
  2. They most likely conspire also as they (as in more than one), jointly refuse to inform the user knowing the risks involved to the user in the process of being enablers…
  3. Since they have been informed about the danger to the users, but do nothing about it, they are most likely willful.

I would just hope that they eventually do the right thing and inform the user before switching on webRTC. webRTC should be default off shipping with firefox.

webRTC is not at fault here, it is how it is implemented in browsers which is the problem.

1 Like

It’s true however that they atleast, can prevent the user better of this potential issue, especially since with the example i’ve found, not everybody need it.
And well, They are ways of limiting the WebRTC protocol do not leak your real address without completly desabling it. While this doesn’t fix correctly the issue, if they would have wanted to keep it “activated by default”, surely making it a “do you want to take the risk on enabling WebRTC completly ?” opt-in option when the situation were the website require it explicitly would be a better approach.

One easy workaround is to use a WebRTC manager extension:

I believe there are other extensions with similar functionality.

It would prefer if Mozilla integrated this functionality into FF. Any time you would need WebRTC access, you would get a menu asking the user to enable WebRTC. Something similar to how Flash is handled in FF/Chrome (but with the ability to permanently whitelist WebRTC access per domain).

2 Likes

Here is my opinion:
Fine extensions helps, and introduce further possible security trouble.
Security extensions truly really kick the can down the road.
Usually you just use it to cure one disease while itself creates another one silently.
People will be surprised how many security add-ons are actually predatory.

The issue is not to deal with this with extensions or the much safer procedure I stated in my original post.

The issue is WHY firefox believe it is ok to foist a firefox version which circumvents a firewall advertising internal IPs and Camera and Audio Device IDs to anyone who want to use it on the web.

It enables a cracker’s warrant for Mr & Mrs america.

The point is it should be off by default so that people who are not hat-savvy like us at least has a secure system to boot.

How to fix it is not the real issue.

Again the issue is Firefox’s brazen shipping of a compromised firefox version being totally aware of the damage possible to the unassuming user.

Innocent uninformed users are getting hurt.
I have first hand knowledge of this when I had to help someone.

The person was hacked through the browser.
It was quick for me to find the root of the problem.

Firefox with default on webRTC

That is the issue here. Shipping firefox knowingly with a security flaw and refusing to fix it.

I am not a security pro, but I don’t think webRTC in of itself allows remote attacks, no?

WebRTC is not at fault. It is a service take it or leave it .
It is the fact that webRTC is being enabled by default without users knowledge by firefox and in my opijnion willfully so fully knowing that users can be compromised since details that are always blocked by a firewall is now passed on to the web.
Take firewalls:
No one serious about security will design or set up a firewall to pass on internal IP and Device IDs, unless it is with the full knowledge and consent of the user. This is crazy !! That is primarily what firewalls are for ! Now this implementation of firefox just circumvent your firewall rules.
Any application that circumvents a firewall is malware. So one can argue that firefox with current webRTC implementation is malware to the user.

You will never know what webRTC implementation allow or disallow in addition to the serious ones I listed, the fact is that it is enabling as it discloses internal IP address and microphone device IDs.
This makes it exponentially easier for crackers.
That is the point, not whether webRTC is at fault or not.
In fact it has nothing to do with it.
It is the implementation in firefox which enables crackers because users are not aware that their firewalls are bypassed explicitly forwarding internal IP and Device IDs to the web.

I have to thank user “[ummeegge]” @ipfire who helped me a lot to identify the initial issues.
Helped me a boatload.

I thank you all for participating.
I guess the thread basically served its purpose and there is enough info to protect yourself.