ICloud Private Relay Error Leaks Users IP Addresses

A flaw found in Apple’s new iCloud Private Relay negates the raison d’être of this feature, revealing the user’s IP address when certain conditions are met.

As researcher and developer Sergey Mostsevenko detailed in his blog this week, an error in WebRTC Private Relay processing can lead to a “leak” of the user’s real IP address. A proof of concept is available on the FingerprintJS website.

Announced at the Worldwide Developers Conference in June, Private Relay promises to prevent third-party tracking of IP addresses, user location and other details by routing Internet requests through two separate relays managed by two different organizations. Internet connections configured to go through Private Relay use anonymous IP addresses that match the user’s region but do not reveal their exact location or identity, Apple said.

In theory, websites should only see the outgoing proxy IP, but the user’s real IP, which is stored in certain WebRTC communication scenarios, could be blocked with some clever code.

As explained by Mostsevenko, the WebRTC API is used to facilitate direct communication over the Internet without the need for a staging server. Deployed in most browsers, WebRTC relies on an Interactive Connection Establishment (ICE) framework to connect two users. One browser collects ICE candidates – potential connection methods – to find and establish a link with a second browser.

The vulnerability relates to Server Reflexive Candidate, a candidate that is used by NAT Server Session Traversal (STUN) utilities to connect to devices behind NAT. Network Address Translation (NAT) is a protocol that allows multiple devices to access the Internet through a single IP address. It is important to note that STUN servers share the user’s public IP address and port number.

“Since Safari does not broadcast STUN requests over iCloud Private Relay, the STUN servers know your real IP address. This is not a problem as they have no other information; however, Safari transfers ICE candidates containing real IP addresses into a JavaScript environment, ”says Mostsevenko. “Deanonymizing you then comes down to parsing your real IP address from ICE candidates – which is easy to do with a web application.”

According to the researcher, the user’s IP address can be obtained by creating a connection object to the STUN server, collecting ICE candidates, and parsing the values.

Hacker News announced the launch of FingerprintJS on Friday.

FingerprintJS reported the bug to Apple, and the company has provided a fix in the latest macOS Monterey beta released this week. The vulnerability is not fixed in iOS 15.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts