A flaw was discovered in Apple’s recently launched iCloud private relay system, exposing the user’s IP address when certain conditions were met, thus destroying the basic value of the feature. As researcher and developer Sergey Mostsevenko detailed in a blog post this week, a flaw in the handling of WebRTC by private relays can “leak” the user’s real IP address, which provides a concept on the FingerprintJS Prove website.
access:
Private Relay, announced at the Global Developers Conference in June, promises to prevent third parties from tracking IP addresses, user locations, and other details by routing Internet requests to two separate relay stations operated by two different entities.AppleThe company said it was configured to use anonymous IP addresses for Internet connections through private relays, assigned to the user’s region, but did not reveal its exact identity or location.
In theory, the website should only see the IP address of the export agent, but the actual IP of the user will be reserved in some WebRTC communication scenarios, which can be discovered through some clever code.
As Mostsevenko explained, the WebRTC API is used to facilitate direct communication on the network without the need for an intermediate server. Implemented in most browsers, WebRTC relies on the Interactive Connection Establishment (ICE) framework to connect two users. One browser collects ICE candidates and uses possible connection methods to find and link to the second browser.
The vulnerability appears in the Reflective Server Candidate, which is a candidate used by the NAT Server Session Traversal Tool (STUN) to connect to devices behind the NAT. Network Address Translation (NAT) is a protocol that allows multiple devices to access the Internet through a single IP address. The important thing is that the STUN server shares a user’s public IP address and port number.
“Since Safari does not send STUN requests through a private iCloud relay, the STUN server knows your real IP address. This is not a problem in itself, because they have no other information; however, Safari passes ICE candidates that contain real IP addresses to JavaScript Environment, “Mostsevenko said. “Then once the de-anonymization is complete, it becomes a problem to parse your actual IP address of the ICE candidates – this can easily be done via a web app.
According to the researcher, the user’s IP address can be collected by establishing a connection object with the STUN server, collecting ICE candidates and analyzing their values.
FingerprintJS reported the vulnerability to Apple, and the company pushed a fix in the latest beta version of macOS Monterey released this week. However, the vulnerability has yet to be patched in iOS 15.
learn more:
https://fingerprintjs.com/blog/ios15-icloud-private-relay-vulnerability/