This is a very serious situation – not only does it create network security issues but it can also be used to add entropy to server side fingerprinting for the purpose of tracking users across the world wide web.
However, after a lengthy discussion with the developer he is refusing to release details of the vulnerability and is instead choosing to take the route of “Security by Obscurity” and his argument is (and I quote):
no one else in the world knows how to do what I do, so no one else can do it so the risk is already mitigated in general
First of all, I seriously doubt that is the case – there are a lot of incredibly smart people out there and the chances are this vulnerability has been discovered by others and may already be in the wild and being used to compromise security and privacy.
Secondly, security by obscurity is never an acceptable answer to such threats for exactly the reason above.
So far the following browsers have been found to be vulnerable to this exploit:
Mozilla Firefox v 30.0
Google Chrome v 35.0.1916.153 m
Chromium v 188.8.131.52
The following browsers are NOT vulnerable to this exploit:
Internet Explorer 11
TOR Browser 3.6.2-Windows
Safari 5.1.7 for Windows
Safari for iOS 7 (iPhone – unable to check iPad)
UPDATE (18th June)
WebRTC is only available in newer Chrome/Chromium (including Chrome for Android) and Firefox builds and is therefore not currently an issue in Safari or Internet Explorer but it does create some serious privacy and security risks as outlined in the blog I linked to in the last paragraph.
As such, this author believes that WebRTC should be disabled by default to mitigate such risks and only be turned on should users explicitly request it – however, given the advantages this gives Google and Mozilla for cross device tracking, I am not going to hold my breath on them making these changes.
My thanks to Mike O’Neill at BayCloud Systems for his work over the past couple of days on figuring out how Wolf Software are doing this.