However, it seems that a flaw in the system made it rather unsecure. This was discovered by researcher and developer Sergey Mostsevenko who found that a flaw actually resulted in the user’s IP address being revealed. A proof of concept of this flaw in action can be found on the FingerprintJS website.
Mostsevenko explains it by saying, “Because Safari doesn’t proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address. This isn’t an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment. De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application.”
The good news is that the flaw seems to have been patched in the latest macOS Monterey beta, but it remains unpatched in iOS 15, but we imagine that Apple should eventually get around to it.