DEV Community

FireKey Team
FireKey Team

Posted on

WebRTC Leaks: The Hidden Fingerprint That Exposes Multi-Account Users

Most people know about IP addresses. Fewer know about WebRTC leaks — and they're often more dangerous for multi-account setups.

What is WebRTC?

WebRTC (Web Real-Time Communication) is a browser API for peer-to-peer connections — used by video calls, gaming, file sharing. The problem: it exposes your local network IP address to any website, even when you're behind a VPN or proxy.

// Any website can run this to get your real local IP
const pc = new RTCPeerConnection({iceServers: []});
pc.createDataChannel('');
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = event => {
  if (event.candidate) {
    const ipMatch = event.candidate.candidate.match(/\d+\.\d+\.\d+\.\d+/);
    if (ipMatch) console.log('Your local IP:', ipMatch[0]); // e.g., 192.168.1.42
  }
};
Enter fullscreen mode Exit fullscreen mode

Why This Breaks Multi-Account Setups

Your local IP (192.168.1.x or 10.0.0.x) is assigned by your router. It:

  • Stays constant across different browser sessions
  • Persists through proxy rotation — the proxy hides your public IP, not your local one
  • Works in incognito mode — it's not a cookie, it's hardware-level

If you're running 5 Amazon seller accounts, all from the same machine, they all share the same local IP via WebRTC. Platform detection systems correlate this within milliseconds.

The Full Fingerprint Attack Surface

WebRTC is one of several vectors:

Signal What it reveals Persistence
WebRTC Local network IP Very high
Canvas hash GPU rendering signature Very high
WebGL GPU model/driver High
Font list Installed fonts Medium-high
Screen resolution Monitor setup Medium
Timezone Location Medium

How to Actually Protect Yourself

  1. Block WebRTC entirely per profile (not globally — that breaks video calls for your main browser)
  2. Spoof canvas/WebGL rendering per profile
  3. Match timezone + locale to your proxy's exit location

I use FireKey for this — free open beta, each profile gets WebRTC blocked and a unique fingerprint. The key is profile-level isolation, not browser-level settings.

Test If You're Leaking Right Now

https://browserleaks.com/webrtc — shows your local IP if WebRTC isn't blocked

This post was written using a FireKey isolated browser environment with WebRTC blocked.

Top comments (0)