iCloud Private Relay flaw leaks users' IP addresses

Posted:
in iOS
A flaw discovered in Apple's new iCloud Private Relay defeats the feature's raison d'etre by exposing a user's IP address when certain conditions are met.

iCloud Private Relay


As detailed by researcher and developer Sergey Mostsevenko in a blog post this week, a flaw in Private Relay's handling of WebRTC can "leak" a user's real IP address. A proof on concept is available on the FingerprintJS website.

Announced at the Worldwide Developers Conference in June, Private Relay promises to prevent third-party tracking of IP addresses, user location and other details by routing internet requests through two separate relays operated by two different entities. Internet connections configured to pass through Private Relay use anonymous IP addresses that map to a user's region but do not reveal their exact location or identity, Apple says.

In theory, websites should only see the IP address of an egress proxy, but a user's real IP, which is retained in certain WebRTC communications scenarios, can be sussed out with some clever code.

As explained by Mostsevenko, the WebRTC API is used to facilitate direct communications over the web without the need for an intermediate server. Deployed in most browsers, WebRTC relies on the interactive connectivity establishment (ICE) framework to connect two users. One browser collects ICE candidates -- potential methods of connection -- to find and establish a link with a second browser.

The vulnerability lies with the Server Reflexive Candidate, a candidate used by session traversal utilities for NAT (STUN) servers to connect to devices sitting behind a NAT. Network address translation (NAT) is a protocol that enables multiple devices to access the internet through a single IP address. Importantly, STUN servers share a user's public IP address and port number.

"Because Safari doesn't proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address. This isn't an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment," Mostsevenko says. "De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates -- something easily accomplished with a web application."

A user's IP address can be gleaned by making a connection object with a STUN server, collecting the ICE candidates and parsing the values, according to the researcher.

The Hacker News reported on the FingerprintJS discovery on Friday.

FingerprintJS reported the flaw to Apple and the company pushed out a fix in the latest macOS Monterey beta released this week. The vulnerability remains unpatched on iOS 15.

Read on AppleInsider

Comments

  • Reply 1 of 15
    I just wanted to point out to anyone worried about this that you don’t have to wait for an Apple fix. Just go into experimental settings in the Safari section of the settings app and enable WebRTC Sockets Proxying. In my testing the tool was indeed reporting my leaked IP address before enabling the switch, but not after.
    byronldewmeaderutterMacsWithPenguinsmagman1979baconstangp-dogspock1234watto_cobrasuckma_boobiz
  • Reply 2 of 15
    rjan said:
    I just wanted to point out to anyone worried about this that you don’t have to wait for an Apple fix. Just go into experimental settings in the Safari section of the settings app and enable WebRTC Sockets Proxying. In my testing the tool was indeed reporting my leaked IP address before enabling the switch, but not after.
    thanks!!
    watto_cobra
  • Reply 3 of 15
    Or perhaps an easier 'fix'... stop using Safari.
    williamlondon
  • Reply 4 of 15
    Or perhaps an easier 'fix'... stop using Safari.
    Yeah use Chrome, much more secure and private. /s
    dewmemac_dogwilliamlondonMacsWithPenguinsmagman1979rob53auxiobaconstangdope_ahminejas99
  • Reply 5 of 15
    crowleycrowley Posts: 10,453member
    Seems less like a flaw and more like an unsupported niche scenario.
    jas99suckma_boobiz
  • Reply 6 of 15
    crowley said:
    Seems less like a flaw and more like an unsupported niche scenario.
    One that this person has announced to the mainstream before Apple could release the fix they know they are already testing. 
    watto_cobra
  • Reply 7 of 15
    Or perhaps an easier 'fix'... stop using Safari.
    Yeah, use Chrome that installs a hidden server on your computer that transmits even when you are not using the browser. The IT department at the hospital I worked at had a fit because people kept downloading it and Google had redesigned it so the only way to block downloading it was to impact the function of the network. 
    williamlondonmagman1979rob53jas99watto_cobrasuckma_boobiz
  • Reply 8 of 15
    gatorguygatorguy Posts: 24,153member
    genovelle said:
    Or perhaps an easier 'fix'... stop using Safari.
    Yeah, use Chrome that installs a hidden server on your computer that transmits even when you are not using the browser. The IT department at the hospital I worked at had a fit because people kept downloading it and Google had redesigned it so the only way to block downloading it was to impact the function of the network. 
    Your hospital's IT administrators didn't insist on Chrome for Enterprise which operates under different rules and security settings and under the hospital's control? Employees install personal consumer browsers of choice on the hospital's computer systems? Extremely questionable decision-making by them if true, so your story sounds, well, equally questionable. 
    edited September 2021
  • Reply 9 of 15
    Isn't this service currently in beta, and as such there  will be bugs found to be ironed out ? Don't see any mention of this in the article, so i could be wrong,.....
    dewmewilliamlondonMacsWithPenguinsrob53jas99spock1234watto_cobra
  • Reply 10 of 15
    sphericspheric Posts: 2,540member
    scatz said:
    Isn't this service currently in beta, and as such there  will be bugs found to be ironed out ? Don't see any mention of this in the article, so i could be wrong,…..
    It's explicitly labeled as "beta" in the corresponding setting in the iCloud preferences and disabled by default, so…yup.
    MacsWithPenguinsmagman1979jas99spock1234watto_cobra
  • Reply 11 of 15
    Or perhaps an easier 'fix'... stop using Safari.
    Or perhaps an even better suggestion, don’t listen to Google brown nosers…
    baconstangjas99p-dogspock1234watto_cobra
  • Reply 12 of 15
    gatorguy said:
    genovelle said:
    Or perhaps an easier 'fix'... stop using Safari.
    Yeah, use Chrome that installs a hidden server on your computer that transmits even when you are not using the browser. The IT department at the hospital I worked at had a fit because people kept downloading it and Google had redesigned it so the only way to block downloading it was to impact the function of the network. 
    Your hospital's IT administrators didn't insist on Chrome for Enterprise which operates under different rules and security settings and under the hospital's control? Employees install personal consumer browsers of choice on the hospital's computer systems? Extremely questionable decision-making by them if true, so your story sounds, well, equally questionable. 
    Google redesigned their consumer version of Chrome so that the installer runs in the current user space on Windows machines, defeating many security policies that admins can implement on machines via active directory GPO’s to prevent non-admin users from installing anything… Even trying to block the installer executable filename from running is defeated thanks to the filth that is Chrome’s installer, which now, for all intents and purposes, behaves much like a virus instead of a normal application installer.
    baconstangp-dogspock1234watto_cobra
  • Reply 13 of 15
    chadbagchadbag Posts: 1,999member
    Or perhaps an easier 'fix'... stop using Safari.
    And use what, Chrome?   Ha ha ha lol lol lol 

    (not sure why but inserting emoji ended up showing Chinese or other Asian Chinese characters when posted). 
    edited September 2021 williamlondonbaconstangjas99p-dogwatto_cobra
  • Reply 14 of 15
    gatorguygatorguy Posts: 24,153member
    gatorguy said:
    genovelle said:
    Or perhaps an easier 'fix'... stop using Safari.
    Yeah, use Chrome that installs a hidden server on your computer that transmits even when you are not using the browser. The IT department at the hospital I worked at had a fit because people kept downloading it and Google had redesigned it so the only way to block downloading it was to impact the function of the network. 
    Your hospital's IT administrators didn't insist on Chrome for Enterprise which operates under different rules and security settings and under the hospital's control? Employees install personal consumer browsers of choice on the hospital's computer systems? Extremely questionable decision-making by them if true, so your story sounds, well, equally questionable. 
    Google redesigned their consumer version of Chrome so that the installer runs in the current user space on Windows machines, defeating many security policies that admins can implement on machines via active directory GPO’s to prevent non-admin users from installing anything… Even trying to block the installer executable filename from running is defeated thanks to the filth that is Chrome’s installer, which now, for all intents and purposes, behaves much like a virus instead of a normal application installer.
    If the business is running the private & secure Chrome for Enterprise would it matter? Even an employee-installed personal Chrome browser would fall under the control of IT on a corporate-managed device. There's no personal or private data harvesting in Chrome for Enterprise if that's what you imagine the concern should be. 
    https://docs.citrix.com/en-us/tech-zone/build/tech-papers/google-chrome.html
    edited September 2021
Sign In or Register to comment.