KEY POINTS

  • Apple announced the iCloud Private Relay service as part of the iOS 15 beta
  • The service is now available to users following its release last week
  • Apple has already patched the flaw in macOS Monterey beta

Featured as a part of the iOS 15 beta and officially released last week, the iCloud Private Relay service aims to improve users' anonymity on the web, but a new report may have revealed otherwise, claiming the service is instead giving out users’ actual IP address.

The iCloud Private Relay service is a new feature designed to prevent third-party tracking of IP addresses, user locations and more. It is essentially meant to offer users with better privacy and enhanced anonymity. However, it appears that a flaw in the system makes the service not secure, as discovered and reported by researcher and developer Sergey Mostsevenko.

According to the researcher, the flaw caused a user's real IP address to be revealed with a proof of concept available on the FingerprintJS site.

In this file photo taken on September 20, 2019 a woman looks at her mobile phone as she walks past advertising for the new iPhone 11 Pro smartphone at an Apple store in Hong Kong
In this file photo taken on September 20, 2019 a woman looks at her mobile phone as she walks past advertising for the new iPhone 11 Pro smartphone at an Apple store in Hong Kong AFP / Philip FONG

"Because Safari doesn't proxy STUN requests through iCloud Private Relay, STUN servers know your real IP address. This isn't an issue on its own, as they have no other information; however, Safari passes ICE candidates containing real IP addresses to the JavaScript environment. De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application," the researcher explained in his report.

Surprisingly, this is not a new finding of Apple's iCloud Private Relay service. A month ago, a Reddit user who goes by the name WhatTheHomePod revealed the same flaw in the service.

"If you perform a test with Private Relay turned on at step Reflexive connectivity you'll see your address from your ISP. If you connect through a virtual private network or proxy and try the test again then nothing is leaked. I have reported this bug to Apple. Just to be aware, for the users under us," the user noted.

Apple has already fixed the iCloud Private Relay service flaw through a patch released for the macOS Monterey beta. However, the flaw in iOS 15 is still unfixed.

It remains to be seen when Apple plans to roll out a new patch to fix this flaw in the system that aims to enhance user's anonymity and not disclose their identity. But, knowing Apple, it should get around to it very soon.