AppleInsider may earn an affiliate commission on purchases made through links on our site.
A flaw discovered in Apple's new iCloud Private Relay defeats the feature's raison d'etre by exposing a user's IP address when certain conditions are met.
As detailed by researcher and developer Sergey Mostsevenko in a blog post this week, a flaw in Private Relay's handling of WebRTC can "leak" a user's real IP address. A proof on concept is available on the FingerprintJS website.
Announced at the Worldwide Developers Conference in June, Private Relay promises to prevent third-party tracking of IP addresses, user location and other details by routing internet requests through two separate relays operated by two different entities. Internet connections configured to pass through Private Relay use anonymous IP addresses that map to a user's region but do not reveal their exact location or identity, Apple says.
In theory, websites should only see the IP address of an egress proxy, but a user's real IP, which is retained in certain WebRTC communications scenarios, can be sussed out with some clever code.
As explained by Mostsevenko, the WebRTC API is used to facilitate direct communications over the web without the need for an intermediate server. Deployed in most browsers, WebRTC relies on the interactive connectivity establishment (ICE) framework to connect two users. One browser collects ICE candidates — potential methods of connection — to find and establish a link with a second browser.
The vulnerability lies with the Server Reflexive Candidate, a candidate used by session traversal utilities for NAT (STUN) servers to connect to devices sitting behind a NAT. Network address translation (NAT) is a protocol that enables multiple devices to access the internet through a single IP address. Importantly, STUN servers share a user's public IP address and port number.
A user's IP address can be gleaned by making a connection object with a STUN server, collecting the ICE candidates and parsing the values, according to the researcher.
The Hacker News reported on the FingerprintJS discovery on Friday.