WebRTC attack surface area?

Question

I'm building an app for browser-to-browser communication.

What is the attack surface area for WebRTC in 2015?

What kinds of attacks could be done? And more importantly, how do I craft something useful, that does it's reasonable best to be secure?

Here's a list of attacks I've found so far:

Information Leaks:

1. Leak IP address behind VPN
2. Persistent monitoring (audio/video). Browsers work hard on this.
3. Screen sharing plugins.

Remote code execution:

1. Don't run javascript sent from other browsers. Warn developers and users.
2. Don't open zip, pdf, or other executable files. Warn users.
3. Searching Metasploit?
4. Video codec exploits?
5. Remediation by using a browser in a VM.

Here's some discussions from a couple years ago.

Are there any other obvious attacks? Where would you start to hack a remote browser to which you have a WebRTC connection?

Answer 1

There is always the possibility of a zero day memory corruption exploit or other exploit.. with any kind of javascript API. I don't really see webrtc as being a huge security threat though. There are easier and more popular targets like flash. I think your list is probably complete, I have seen the VPN "exploit" a while ago, I think that's the only one which was known to be consistently possible, so that seems like a very good track record (so far). I probably would make this a comment, but I am not able to comment.