Apple’s Private Relay Fails with WebRTC, Researchers Report Vulnerability

Apple’s iCloud Private Relay, introduced with iOS 15 as part of the iCloud+ suite, was designed to conceal a user’s IP address from both Apple and the destination website by routing traffic through a dual‑proxy architecture. However, a technical deep‑dive by Webrtchacks shows that the protocol’s reliance on WebRTC’s Interactive Connectivity Establishment (ICE) process defeats that privacy guarantee. In the pre‑iOS 15.1 build, the ICE handshake— which contacts a STUN server to discover the client’s public IP— leaks the address directly to the remote peer, bypassing Apple’s relay entirely. The researchers demonstrated the leak with a simple RTCPeerConnection test, confirming that the public IP returned by the STUN server is exposed to the web application despite Private Relay being active (Webrtchacks, September 27 2021).

The root of the problem lies in WebRTC’s peer‑to‑peer design, which prioritises low‑latency, direct connections for video, audio, and data streams. To traverse NATs and firewalls, browsers must exchange candidate IP addresses via ICE, often using publicly reachable STUN servers. Because Private Relay only proxies HTTP(S) traffic, it does not intercept or rewrite the ICE‑derived IP information that WebRTC transmits over UDP. Consequently, any web page that initiates a WebRTC session can retrieve the user’s true IP address, rendering the “anonymous browsing” promise of Private Relay ineffective for those sites (Webrtchacks, 2021).

Apple addressed the vulnerability in the iOS 15.1 update released on October 27 2021, which modifies the Safari networking stack to suppress ICE‑derived IP addresses when Private Relay is enabled. The patch aligns the browser’s behavior with the intended privacy model, ensuring that WebRTC connections no longer bypass the relay. Nonetheless, Webrtchacks notes that the issue remains a useful case study for developers and security auditors, illustrating how ancillary protocols can unintentionally undermine broader privacy features. The article also highlights broader criticism of Safari’s development cadence, citing “long release cycles and opaque roadmaps” that make it difficult for researchers to surface and remediate bugs before they reach end users (Webrtchacks, 2021).

From a market perspective, the episode underscores the challenges Apple faces in balancing feature richness with its privacy branding. While iCloud Private Relay is a differentiator for the premium iCloud+ tier, any perceived weakness—especially one that can be demonstrated with readily available WebRTC tools—could erode confidence among privacy‑focused consumers and enterprises. Analysts have long pointed out that Apple’s ecosystem advantage hinges on the perception of security; a flaw that allows IP leakage, even temporarily, may prompt competitors to emphasize more robust anonymity solutions in their own services.

The broader implication for the industry is a reminder that privacy controls must be evaluated holistically, accounting for all networking layers. As WebRTC continues to be adopted for real‑time collaboration tools, browsers and operating systems will need to ensure that auxiliary protocols do not become backdoors to user data. Apple’s swift patch in iOS 15.1 demonstrates that remediation is possible, but the episode also serves as a cautionary tale: privacy‑by‑design must extend beyond the primary data path to encompass every ancillary communication channel.