Zero-day vulnerability in Apple’s new iCloud Private Relay service for iOS 15 allows seeing user real IP addresses

Cybersecurity specialists report the detection of an unpatched vulnerability in iCloud Private Relay, a service implemented by Apple in its latest update and whose successful exploitation would allow threat actors to obtain the true IP address of a user online. As some users may remember, iCloud Private Relay is a new feature for iPhone users who have paid for the upgrade to iOS 15, released on Tuesday.

This feature operates similarly to a VPN service in that it encrypts web browsing traffic and sends it through a relay to hide the user’s content, location, and IP address. All visited websites should only see the proxy IP address assigned by iCloud.

Just a few hours ago, a researcher discovered that it is possible to filter IP addresses through WebRTC, a browser API that allows websites to initiate direct communication between their visitors. This functionality has been the subject of multiple web security reports on previous occasions.

WebRTC communication is initiated using the Interactive Connectivity Establishment (ICE) framework, which requires collecting so-called “ICE candidates” such as IP addresses, domain name, ports, protocols, and other data. Subsequently, the web browser will return the ICE candidates to the browser applications.

On the other hand, researcher and developer Sergey Mostsevenko mentions that Safari passes ICE candidates containing real IP addresses to the JavaScript environment: “Deanonymizing this information becomes a matter of analyzing your real IP address of ICE candidates, something trivial and achievable with just a web application.”

The expert recommends switching to a real VPN service or disabling JavaScript in your Safari browser settings to disable WebRTC. Mostsevenko mentions that the vulnerability was fixed in the beta version of macOS Monterey, released this week.

Finally, the researcher mentions that a patch could also be available for Safari under iOS, in addition to the stable version is about to be released.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.