iCloud Private Relay flaw leaks users' IP addresses

By AppleInsider Staff

A flaw discovered in Apple's new iCloud Private Relay defeats the feature's raison d'etre by exposing a user's IP address when certain conditions are met.

As detailed by researcher and developer Sergey Mostsevenko in a blog post this week, a flaw in Private Relay's handling of WebRTC can "leak" a user's real IP address. A proof on concept is available on the FingerprintJS website.

Announced at the Worldwide Developers Conference in June, Private Relay promises to prevent third-party tracking of IP addresses, user location and other details by routing internet requests through two separate relays operated by two different entities. Internet connections configured to pass through Private Relay use anonymous IP addresses that map to a user's region but do not reveal their exact location or identity, Apple says.

In theory, websites should only see the IP address of an egress proxy, but a user's real IP, which is retained in certain WebRTC communications scenarios, can be sussed out with some clever code.

As explained by Mostsevenko, the WebRTC API is used to facilitate direct communications over the web without the need for an intermediate server. Deployed in most browsers, WebRTC relies on the interactive connectivity establishment (ICE) framework to connect two users. One browser collects ICE candidates -- potential methods of connection -- to find and establish a link with a second browser.

The vulnerability lies with the Server Reflexive Candidate, a candidate used by session traversal utilities for NAT (STUN) servers to connect to devices sitting behind a NAT. Network address translation (NAT) is a protocol that enables multiple devices to access the internet through a single IP address. Importantly, STUN servers share a user's public IP address and port number.

"Because Safari doesn't proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address. This isn't an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment," Mostsevenko says. "De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates -- something easily accomplished with a web application."

A user's IP address can be gleaned by making a connection object with a STUN server, collecting the ICE candidates and parsing the values, according to the researcher.

The Hacker News reported on the FingerprintJS discovery on Friday.

FingerprintJS reported the flaw to Apple and the company pushed out a fix in the latest macOS Monterey beta released this week. The vulnerability remains unpatched on iOS 15.