Security News > 2021 > September > Apple's New iCloud Private Relay Service Leaks Users' Real IP Addresses
A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating system.
Introduced with iOS 15, which was officially released this week, iCloud Private Relay aims to improve anonymity on the web by employing a dual-hop architecture that effectively shields users' IP address, location, and DNS requests from websites and network service providers.
"If you read the IP address from an HTTP request received by your server, you'll get the IP address of the egress proxy," FingerprintJS researcher Sergey Mostsevenko said.
The vulnerability unearthed by FingerprintJS has to do with a specific candidate dubbed "Server Reflexive Candidate" that's generated by a STUN server when data from the endpoint needs to be transmitted around a NAT. STUN - i.e., Session Traversal Utilities for NAT - is a tool used to retrieve the public IP address and port number of a networked computer situated behind a NAT. Specifically, the flaw arises from the fact that such STUN requests aren't proxied through iCloud Private Relay, resulting in a scenario where the real IP address of the client is exposed when the ICE candidates are exchanged during the signaling process.
The leak has remained unpatched when using iCloud Private Relay on iOS 15.
The revelation is yet another indication that iCloud Private Relay can never be a replacement for VPNs, and users who are concerned about the visibility of their IP addresses should use a real VPN or browser the internet over the Tor network and completely disable JavaScript from Safari to turn off WebRTC-related features.