Security researchers have identified a vulnerability in the iCloud Private Relay for iOS 15 that would let third parties circumvent protections and obtain the IP address.
Tracking users across multiple online domains is a sticky privacy problem because it takes many forms. Websites and companies are interested in tracking users, building shadow profiles, targeting them with ads, and more.
Some browsers and other services have tried to mitigate this problem with Do Not Track features, but they don’t always work. And new ways to track users are constantly developed, compounding the problem. Apple, trying to deal with this issue, launched a new service named iCloud Private Relay. Basically, they parse network requests from DNS and other services, hiding the actual IP of their users.
“It ensures that the traffic leaving your device is encrypted so no one can intercept and read it,” says Apple. “Then all your requests are sent through two separate internet relays. It’s designed so that no one — including Apple — can use your IP address, location, and browsing activity to create a detailed profile about you.”
Security researchers from FingerprintJS discovered that things don’t follow this pattern. Finding out the user’s actual IP address is not all that difficult, they say.
“Because Safari doesn’t proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address,” the researchers explained. “This isn’t an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment. De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application.”
The vulnerability is only present in the iOS 15 stable build. Apple patched this issue in the macOS Monterey Beta released last week. Please keep in mind that iCloud Private Relay is part of the iCloud+ subscription, so it’s not available by default to everyone.