Apple only launched the latest version of the iOS operating system earlier this week and one of the sparkling new features it contains is the iCloud Private Relay service.
This new service is a free upgrade for iCloud subscribers and works somewhat like a VPN. It encrypts user data and then sends it through a relay to hide both the contents of the data and the location of the user.
If you are not sure if you’re running it, iCloud Private Relay is currently only available for iCloud+ subscribers running iOS 15 or macOS 12 Monterey with the Safari browser. It is not currently available in every country because of domestic regulatory limitations.
There is just one problem. Just three days in, and a security researcher has already found a critical vulnerability.
iCloud Private Relay’s WebRTC leak
The problem was spotted by Sergey Mostsevenko, a researcher at FingerprintJS, a browser fingerprinting library.
He noticed that the iCloud Private Relay could leak a user’s original IP Addresses through WebRTC. If you are not familiar with the term, WebRTC is a browser API that allows websites to establish direct communication between website visitors.
WebRTC involves the browser collecting certain information about users, including their original IP Address and then sharing it. Mostsevenko noticed that Apple’s Safari browser was passing real IP addresses to the JavaScript environment in a format that could be easily deanonymized using a simple web application.
The same issue has plagued desktop browsers on many systems in the past but has mostly been resolved with VPN provider apps and third-party browser extensions.
He has notified Apple of the issue but at the time of writing, he has received no response from them and as far as we are aware, no patch has been released. However, Mostsevenko did note that the problem does seem to have been fixed in the recently released macOS Monterey beta.
This is their new macOS release which will not go fully live until later in the Autumn and while that suggests Apple are at least aware of the problem, it is not much help to iOS 15 users now.
What should iOS 15 users do?
The problem is pretty big for Apple users. It has launched iOS with a not insubstantial amount of fanfare and iCloud Private Relay has been loudly billed as a new feature that will protect users IP Addresses and therefore, their privacy.
As long as this vulnerability exists, that is clearly not the case and it is something that Apple needs to address quickly.
Until they do, we can only agree with the advice of the man who spotted this problem, Sergei Mostsevenko.
He says users have the option of disabling JavaScript in Safari’s browser settings to turn off WebRTC but notes that this is likely to impact the performance of some websites if they have been built with JavaScript.
So, his other suggestion is the preferable one. Switch to a VPN.
All of our recommended VPNs have been tested to see if they are susceptible to WebRTC leaks and all have passed with flying colours. Indeed, some even include WebRTC leak testing software so you can test them yourself.
Even if Apple does eventually decide to patch this issue, the fact that such a core vulnerability has been spotted so quickly after launch does not bode well for the product. It immediately begs the question of how many other vulnerabilities are there hiding in this new Apple feature waiting for hackers to uncover them?
For iOS 15 users who are genuinely determined to protect their online privacy, a VPN is a much safer option and it’s safe to say, most of our recommended VPNs won’t be leaking WebRTC data any time soon.
