Tech giant Apple’s new VPN service for iOS users, called iCloud Relay, may have a potential zero-day vulnerability. Cybersecurity researcher Sergey Mostsevenko, a developer at security firm FingerprintJS, noted that the service could reveal the IP address of its users through the WebRTC API. WebRTC stands for Web Real Time Communication and allows websites to provide communications through audio and video without additional plugins or apps.
The IP address of a user can be used to determine their identity, location and much more data about them. Websites also used the Domain Name System, or DNS, to track users activity on the Internet. DNS is the technology that allows websites to be represented in human readable for, like www.techcircle.in, instead of complicated addresses like 192.168.1.1 etc.
VPN services primarily work by masking the user’s IP and DNS, making it much more difficult to identify them. The bug, which hasn’t been patched by Apple yet, could defeat the whole purpose of providing the iCloud Relay service to users.
“The service works by proxying network/HTTP traffic (including DNS requests) from the Safari browser, as well as unencrypted HTTP traffic from applications. By doing this, Apple claims that network providers no longer can see your DNS requests and unencrypted HTTP traffic; similarly, websites visited will only see your iCloud-assigned proxy IP address. This address is drawn from a pool shared between multiple iCloud Private Relay users, grouped by their approximate location (Apple provides a public table of proxy IPs/locations),” the researcher said in a blog post.
The service could potentially impact quite a few Apple users. The company had announced it at the Worldwide Developer Conference (WWDC) in May and it went live for all users earlier this week as part of the new iCloud+ service. All paying iCloud users have been upgraded to iCloud+ automatically and can use the iCloud Relay feature.