De-anonymizing users of VPN-like service, launched with iOS 15 yesterday, is ‘easily accomplished’

An as-yet-unpatched vulnerability in Apple’s new iCloud Private Relay service for iOS 15 means it can leak users’ true IP addresses, a security researcher has claimed.

iCloud Private Relay is a free upgrade provided for paying iCloud users in Apple’s latest mobile operating system update, which was launched yesterday (September 21).

It has similarities to a VPN in that it encrypts web-browsing traffic and sends it through a relay to hide the contents, as well as the user’s location and IP address. Any websites visited should only see the proxy IP address assigned by iCloud.

WebRTC leak vector

However, a security researcher has discovered that it can leak IP addresses through WebRTC, a browser API that allows websites to establish direct communication between website visitors – and which has been associated with similar weaknesses in other browsers in the past.

WebRTC sets up communications by using the ICE (interactive connectivity establishment) framework. This involves collecting ‘ICE candidates’ that include the IP address or domain name, port, protocol, and other information. The browser will then return the ICE candidates to the browser application.

However, writes Sergey Mostsevenko, a researcher and developer at browser fingerprinting library FingerprintJS, Safari is passing ICE candidates containing real IP addresses to the JavaScript environment.

“De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates – something easily accomplished with a web application,” he says.

Prospects for a patch

Mostsevenko recommends either switching to a VPN or disabling JavaScript in Safari’s browser settings to turn off WebRTC – although this may affect how websites built with JavaScript are displayed.

The researcher said the vulnerability has been fixed in the recently released MacOS Monterey beta. The stable macOS release is due some time in the fall.

A patch may be forthcoming for Safari under iOS too, independent privacy researcher and consultant Dr Lukasz Olejnik tells The Daily Swig. “In general, it would not be that difficult to address it.”


Read more of the latest Apple security news


FingerprintJS has alerted Apple to the problem, but says it has not yet received a response.

“We think it is a pretty serious leak, as it impacts anyone who is using Private Relay since its launch with iOS 15, a spokesperson tells The Daily Swig. “Apple has marketed the new feature as protecting IP addresses from visited websites to protect user privacy, though due to this vulnerability IP addresses can be accessed.

“The vulnerability undermines key functionality of the feature, and may give users a false sense of security as to how much of their private information is being protected while browsing.”

The Daily Swig has contacted Apple for comment and we will update this article if we hear back.


RELATED VPN users unmasked by zero-day vulnerability in Virgin Media routers