One of the best new iOS 15 features may also have a serious security flaw

News
By published

iCloud Private Relay service leaking users’ true IP addresses

cybersecurity
(Image credit: Shutterstock)

Cybersecurity researchers have flagged a potential zero-day vulnerability in Apple’s new iCloud Private Relay service for iOS 15, through which it can leak users’ true IP addresses.

Offered as a free upgrade provided for paying iCloud users in Apple’s latest mobile operating system update, iCloud Private Relay allows users to hide their IP addresses and DNS requests from websites and network service providers.

However, Sergey Mostsevenko, a researcher and developer at security vendor FingerprintJS, discovered that the service leaks IP addresses through the WebRTC API.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

In a post detailing the vulnerability, Mostsevenko demonstrates that this leak enables websites to establish direct communication with their visitors, defeating the anonymizing purpose of the private relay service.

Leaky service

The new Apple service is similar to a VPN, in that it encrypts web-browsing traffic and sends it through a relay to obfuscate its contents, including the user’s location and IP address. When browsing the web through the service, visited websites will only see the proxy IP address assigned by iCloud.

Explaining Mostsevenko’s findings, The Daily Swig says that the service relies on WebRTC to set up communications with the help of the ICE (interactive connectivity establishment) framework. 

As part of that process it collects what are known as ICE candidates, which include various pieces of information such as the IP address or domain name, port, protocol, and other information, which it then returns to the browser.

However Mostsevenko found that Apple’s Safari web browser is passing ICE candidates containing the real IP addresses.

“To fix this vulnerability, Apple will need to modify Safari so it routes all traffic through iCloud Private Relay,” concludes Mostsevenko, who has reported the vulnerability to Apple, but hasn’t heard back.

Via The Daily Swig

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Apple&#039;s new &quot;Share Item Location&quot; feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in Pro
Representational image of a shrouded hacker.
Adapting the UK’s cyber ecosystem
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
More about pro
Representational image of a shrouded hacker.

Adapting the UK’s cyber ecosystem
HP ZBook Ultra G1a

HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
Toni Collette in Hereditary

Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
See more latest
Most Popular
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools