A post on Friday, at torrentfreak.com reveals a security flaw in WebRTC enabled browsers that leaks the actual IP addresses of VPN users.
I primarily use VPNs to protect my data when on a untrusted network (such as at a hotel, coffee house or other hot spot. It also comes in handy to check access from other parts of the world, by VPNing to a foreign point of presence.
VPNs are also used for anonymity. Websites are able to make a STUN request, and the browser’s supporting this request will reveal what was thought to be protected IP addresses of the client.
You can check if you are affected at a test website set up by Daniel Roesler. https://diafygi.github.io/webrtc-ips/
In my case when using Chrome, the website shows 2 internal IP addresses (wired and wireless), my VPN client IP address, my external (ISP) IP address, and the IP address my request is coming from.
Internet Explorer does not support WebRTC and does not leak this information.
Per torrentfreak, fixes in Firefox include running NoScript. In Chrome ScriptSafe or WebRTC Block.