ICloud Private Relay flaw scares users’ IP addresses


A flaw discovered in Apple’s new iCloud Private Relay defeats the purpose of the feature by exposing a user’s IP address when certain conditions are met.

As detailed by researcher and developer Sergey Mostsevenko in a blog post this week, a flaw in Private Relay’s handling of WebRTC can “leak” a user’s real IP address. A proof of concept is available on the FingerprintJS website.

Announced at the Global Developer Conference in June, Private Relay promises to prevent third-party tracking of IP addresses, user location, and other details by routing internet requests through two separate relays operated by two different entities. . Internet connections configured to go through Private Relay use anonymous IP addresses that match a user’s region but do not reveal their exact location or identity, according to Apple.

In theory, websites should only see the IP address of an egress proxy, but a user’s real IP address, which is kept in some WebRTC communication scenarios, can be discovered with smart code.

As explained by Mostsevenko, the WebRTC API is used to facilitate direct communication over the web without the need for an intermediary server. Deployed in most browsers, WebRTC relies on the Interactive Connectivity Establishment (ICE) framework to connect two users. A browser collects ICE candidates (potential connection methods) to find and link to a second browser.

The vulnerability resides in the Server Reflexive Candidate, a candidate used by session traversal utilities for NAT servers (STUNs) to connect to devices behind a NAT. Network Address Translation (NAT) is a protocol that allows multiple devices to access the Internet through a single IP address. It is important to note that STUN servers share a user’s public IP address and port number.

“Because Safari does not pass STUN requests through iCloud Private Relay, the STUN servers know your real IP address. This is not a problem in itself, as they have no other information. The JavaScript environment,” explains Mostsevenko. “De-anonymizing then becomes a matter of analyzing your real IP address from ICE applicants – something easy to achieve with a web application.”

A user’s IP address can be gleaned by creating a connection object with a STUN server, collecting ICE candidates, and analyzing the values, according to the researcher.

News from hackers reported on the discovery of FingerprintJS on Friday.

FingerprintJS reported the flaw to Apple and the company released a fix in the latest beta of macOS Monterey released this week. The vulnerability remains unpatched on iOS 15.

Source link

Leave A Reply

Your email address will not be published.