Apple’s new iCloud Relay service could leak user’s identity to websites

Tech giant Apple’s new VPN service for iOS users, called iCloud Relay, may have a potential zero-day vulnerability. Cybersecurity researcher Sergey Mostsevenko, a developer at security firm FingerprintJS, noted that the service could reveal the IP address of its users through the WebRTC API. WebRTC stands for Web Real Time Communication and allows websites to provide communications through audio and video without additional plugins or apps.

The IP address of a user can be used to determine their identity, location and much more data about them. Websites also used the Domain Name System, or DNS, to track users activity on the Internet. DNS is the technology that allows websites to be represented in human readable for, like www.techcircle.in, instead of complicated addresses like 192.168.1.1 etc.

VPN services primarily work by masking the user’s IP and DNS, making it much more difficult to identify them. The bug, which hasn’t been patched by Apple yet, could defeat the whole purpose of providing the iCloud Relay service to users.

“The service works by proxying network/HTTP traffic (including DNS requests) from the Safari browser, as well as unencrypted HTTP traffic from applications. By doing this, Apple claims that network providers no longer can see your DNS requests and unencrypted HTTP traffic; similarly, websites visited will only see your iCloud-assigned proxy IP address. This address is drawn from a pool shared between multiple iCloud Private Relay users, grouped by their approximate location (Apple provides a public table of proxy IPs/locations),” the researcher said in a blog post.

He recommended that users should use a “real VPN service” instead of Apple’s iCloud Relay in order to protect themselves from the flaw. They could also turn off Javascript on the Safari browser, though that will disable all WebRTC-based services on websites. “To fix this vulnerability, Apple will need to modify Safari so it routes all traffic through iCloud Private Relay. The FingerprintJS Team has already reported this issue to them,” the blog post said.

The service could potentially impact quite a few Apple users. The company had announced it at the Worldwide Developer Conference (WWDC) in May and it went live for all users earlier this week as part of the new iCloud+ service. All paying iCloud users have been upgraded to iCloud+ automatically and can use the iCloud Relay feature.