One of the changes Apple announced at WWDC earlier this year that would be coming to Apple’s services would be iCloud Private Relay. Basically this feature is meant to help prevent third-party tracking of IP addresses, user locations, and more – essentially it is meant to provide users with better privacy.However, it seems that a flaw in the system made it rather unsecure. This was discovered by researcher and developer Sergey Mostsevenko who found that a flaw actually resulted in the user’s IP address being revealed. A proof of concept of this flaw in action can be found on the FingerprintJS website.
Mostsevenko explains it by saying, “Because Safari doesn’t proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address. This isn’t an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment. De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application.”
The good news is that the flaw seems to have been patched in the latest macOS Monterey beta, but it remains unpatched in iOS 15, but we imagine that Apple should eventually get around to it.
Filed in . Read more about Icloud and Privacy. Source: appleinsider