Apple’s iCloud Private Relay flaw exposes users’ true IP addresses, so iPhone users beware.

The iCloud Private Relay service, which was included in the iOS 15 beta and was formally published last week, seeks to increase users’ privacy on the web, but a recent revelation claims the service is instead handing out users’ actual IP address.

The iCloud Private Relay service is a new feature that protects IP addresses, user locations, and other data from being tracked by third parties. Its primary goal is to provide users with greater privacy and anonymity. However, as identified and disclosed by researcher and developer Sergey Mostsevenko, the service looks to be insecure due to a weakness in the system.

With a proof of concept provided on the FingerprintJS site, the weakness disclosed a user’s genuine IP address, according to the researcher.

“Because Safari does not employ iCloud Private Relay to proxy STUN queries, STUN servers know your real IP address. This isn’t a problem in and of itself because they have no further information; nonetheless, Safari sends ICE candidates to the JavaScript environment that contain real IP addresses. The researcher noted in his paper that “de-anonymizing you becomes a matter of extracting your real IP address from the ICE candidates – something easily performed with a web application.”

Surprisingly, Apple’s iCloud Private Relay service has discovered this before. The identical problem in the service was reported a month ago by a Reddit user known as WhatTheHomePod.

“If you run a test with Private Relay enabled at step Reflexive connectivity, you should see your ISP’s address. Nothing is disclosed if you connect using a virtual private network or proxy and run the test again. This is an issue that I’ve reported to Apple. “Just so the users under us are aware,” the user added.

Apple has already provided a patch for the macOS Monterey beta that addresses the iCloud Private Relay service flaw. However, the issue in iOS 15 has yet to be addressed.

It’s unclear when Apple will release a new patch to address this issue in the system, which promises to protect users’ identities by enhancing their anonymity. But, knowing Apple, it will most likely do so shortly.