We Helped Patch a Chromium Bug That Could Leak Your Real IP — Here’s How
Sometimes a user report leads to a big fix.
A Windscribe user contacted us about a strange privacy issue with our browser extension on Chrome for macOS. When they clicked a “Share” button on a website (the kind that opens the native macOS share sheet), their real IP address was being exposed, even though they were connected to Windscribe via proxy settings in Chrome.
It didn’t add up. So, we dug in.
When “Share” Means “Expose”
The culprit turned out to be a surprising combination of browser behavior and OS-level services.
Here’s what was happening:
- A website uses the Web Share API, calling navigator.share() with a URL.
- Chrome on macOS opens the native macOS share sheet.
- As soon as the share sheet appears, macOS (not Chrome) quietly fetches metadata about the shared URL — things like the page title, favicon, and Open Graph data.
- This request doesn’t go through Chrome’s network stack. It completely bypasses any proxy the user has configured in Chrome (like Windscribe).
- The result? The user’s real IP address is sent in plain sight to the server hosting that URL.
Even worse: this request doesn’t show up in Chrome DevTools. There’s no transparency or control — just an invisible leak.
Safari? Not a Problem.
This is Chrome-specific behavior on macOS. Safari, for instance, doesn’t pre-fetch metadata when opening the share sheet. It waits until the user chooses a destination.
We Flagged It. Chromium's Fixing It.
Once we confirmed the behavior, we filed a bug report with Chromium’s networking team, flagged it under Blink > Webshare, and provided a detailed breakdown of the issue. The good news?
📢 Chromium has acknowledged the bug and is including a fix in an upcoming release. Full details here.
Chromium’s fix stops the metadata request entirely when the share sheet opens — eliminating the risk of proxy bypass via PAC scripts or extensions like Windscribe.
Why This Matters (Even If You Don’t Use Windscribe)
This isn’t just a Windscribe issue — it’s a privacy concern that affects any Chromium user on macOS using a proxy inside the browser, including Brave, Edge and Chrome.
All it takes is a bit of JavaScript and a “Share” button to expose a user’s real IP address. No clickbait. No malware. Just a clever trick and a system-level blind spot.
We were lucky our user spotted it — and even luckier that Chromium is fixing it.
Acknowledgements
This discovery started with a single user doing what we love most: reporting weird things.
To that user — maitai — we salute you. 🫡
To the rest of you: keep those reports coming. Privacy on the internet isn’t static — and with your help, we’ll keep making it better.