Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

hyperbolic

macrumors member
Original poster
Jun 8, 2022
50
25
I logged into Amazon.com today using Safari with Private Relay turned ON over a cellular (XFinity Mobile connection — they use Verizon as the underlying carrier). However, despite the fact I have Private Relay turned ON and despite the fact that I confirmed that my real IP address is NOT being leaked (using browserleaks.com/ip), SOMEHOW AMAZON.COM WAS ABLE TO DETECT MY REAL (CELLULAR) IP ADDRESS.

The way I discovered this was that I have 2-factor authentication set up on my Amazon.com account wherein Amazon sends me an SMS text message that provides a link for me to click, which takes me to an authorization webpage. This webpage asks you to confirm the login attempt. The page provides the IP address that the login attempt was made from and it displays your current IP address (of course you want those to match, and they did in my case). HOWEVER, AMAZON DISPLAYED MY REAL IP ADDRESS, NOT THE PRIVATE RELAY ADDRESS.

THIS IS A SERIOUS PROBLEM. How can Amazon.com POSSIBLY figure out my real IP address when in fact:

1. I have Private Relay turned ON for both WiFi and Cellular (I’m on cellular with WiFi turned OFF).

2. My Cellular carrier is NOT blocking Private Relay.

3. I do NOT have a DNS Override configured using a Profile (i.e. I don’t have a custom encrypted DoH or DoT DNS resolver configured).

4. I’m using Safari to log in to Amazon.com

5. I see NO error messages telling me Private Relay is not functioning.

6. I used browserleaks.com to confirm that my real IP address is NOT leaking and that my DNS resolvers are all Private Relay based resolvers using the browser leaks DNS server detection.

7. I’m on the latest version of iOS (15.6.1, iPhone 8 Plus, which makes this finding even more unfortunate).

HOW IS AMAZON POSSIBLY OBTAINING MY REAL IP ADDRESS? THIS SIMPLE FIND TODAY ESSENTIALLY TELLS ME THAT PRIVATE RELAY CANNOT BE TRUSTED. PERIOD.

Try it yourself if you don’t believe me. Follow the steps above and 2-factor login to your Amazon.com account. You’ll see your real IP address is exposed. This fundamentally means that essentially every website a person visits using Private Relay is able to obtain your REAL IP ADDRESS. And I’m on the latest version of iOS too (15.6.1, iPhone 8 Plus).

Now, Apple DOES state in their Private Relay documentation that SMS text traffic does NOT go through Private Relay. However, that DOES NOT MATTER IN THIS CASE, AND SHOULD NOT MATTER WHEN IT COMES TO A WEBSITE IN SAFARI BEING ABLE TO DETECT YOUR REAL IP ADDRESS.

Like I mentioned, Amazon 2-factor auth SMS text messaged ME a message containing a hyperlink to click in order to authenticate my login in Safari. There’s NO POSSIBLE WAY that Amazon nor any other remote user can determine a persons Cellular IP Address by merely sending that person a text message. In fact, there’s NO WAY that even the receiver of an SMS text message can possibly detect the IP Address of the sender. The CELLULAR PROVIDER MIGHT have access to both IP addresses if both users use the same cellular provider, but even then I doubt that’s happening because there’s probably an intermediary server that handles the SMS routing. EITHER WAY, there’s NO WAY the Cellular provider is giving either the receiver or sender the other side’s IP Address.

In conclusion,

1. I would very much appreciate if someone would confirm my findings. My phone is not jailbroken, nor is it a Managed Device, nor do I have any Cellular “firewall” settings turned ON my cellular account that would prevent Private Relay from working, ESPECIALLY in Safari, and even then, Apple indicates that it will clearly present an error to the user if Private Relay is not functioning in this specific case.

2. If Amazon.com can determine one’s real IP Address that’s a SIMPLE PROOF that Private Relay CANNOT BE TRUSTED TO WORK on ANY website, especially Amazon and Google (two of the “biggies”).

3. If anyone know HOW Amazon is successfully determine my REAL (cellular) IP Address with Private Relay turned ON, please do let me know. In fact please let the world know, because this is inexcusable especially considering Apple has sent out numerous “zero-day” emergency iOS updates in the past ~THREE years. In a lot of these cases, the attacker not only had access to the users iPhone and iCloud, but FULL ACCESS and even FULL REMOTE CONTROL of the LOCAL device! This is absolutely INEXCUSABLE. It’s inexcusable that it FULL REMOTE ACCESSES has happened even ONCE. It’s beyond belief that iOS has essentially been prone to FULL ACCESS REMOTE CONTROL for YEARS now, and I have nearly zero confidence that the latest iOS 15.6.1 released fundamentally fixed this situation.

WHAT IS UP WITH YOU APPLE??? I’m a proud 25+ year user of Apple products, but this is nearly the last straw.
 
I am guessing the API in the Amazon app relies on the carrier GPS to provide you with accurate shipping account details. There is no real mystery here and Apple didn't let you down. And if you care about privacy and security, you really shouldn't be using SMS as a second means of verification. You should be using a 2FA app.
 
In this case, it's for security purposes. Do you want Amazon to simply allow logins to your account from random IP addresses?

If you don't like this, use VPN or TOR.
 
  • Like
Reactions: JapanApple
I am guessing the API in the Amazon app relies on the carrier GPS to provide you with accurate shipping account details. There is no real mystery here and Apple didn't let you down. And if you care about privacy and security, you really shouldn't be using SMS as a second means of verification. You should be using a 2FA app.
Just as an aside, I’m disappointed in my banks for not using proper 2FA. They still use SMS or email only.
 
  • Like
Reactions: hyperbolic
I am guessing the API in the Amazon app relies on the carrier GPS to provide you with accurate shipping account details. There is no real mystery here and Apple didn't let you down. And if you care about privacy and security, you really shouldn't be using SMS as a second means of verification. You should be using a 2FA app.


Of course that’s not what’s occurring. Knowledge of GPS coordinates does not allow the IP address to be reverse engineered. If the IP address is known, the GPS coordinates can be guessed at, but it doesn’t work the other way around.

Besides that, I have location services turned off for Cell Network & Networking.
 
In this case, it's for security purposes. Do you want Amazon to simply allow logins to your account from random IP addresses?

If you don't like this, use VPN or TOR.

??? I don’t want Amazon or any other website to know my real IP address when using Private Relay. What’s the use of Private Relay if the IP address can be reverse engineered??

You’re not getting it.
 
  • Like
Reactions: maternidad
Your username is right on point with this post

Haha. Yeah I guess there were a lot of CAPS. I should have used more CAPS because it’s ridiculous that after ~2 years of beta testing, iCloud Private Relay fails at the one single thing it was designed to do! Lol. I would expect this from Microsoft, not Apple.
 
My bank doesn't use proper MFA, either and it is a major bank.

It’s indeed pretty unfathomable, isn’t it? That many banks, of all companies, don’t employ strong MFA.

What’s worse in my view are the websites that allow a 2FA app to be used, but then give the user the option of email or SMS authorization in the event their 2FA app isn’t available.

Like, what’s the USE then?? And this is why I’m very disappointed in Apple for providing a “Private Relay” where, apparently, as I have trivially proven, any website you visit has the ability to reverse engineer your real IP address. What’s the USE???
 
It's strange that this occurs, and Private Relay wouldn't be being effective if websites were capable of obtaining actual IP addresses with it turned on.
 
  • Like
Reactions: hyperbolic
It's strange that this occurs, and Private Relay wouldn't be being effective if websites were capable of obtaining actual IP addresses with it turned on.

I agree, and it indeed does occur, still in 15.7.1. You can test it yourself if you don’t believe me.

Hopefully Apple fixed this in iOS 16.x. I plan on testing as soon as 16.2 ships.
 
This is nothing new. happening to me for years with amazon.

It’s new because it’s a bug in Private Relay. I’m not sure if you read the original post, but Private Relay leaks your real IP address when you log into a website. That’s not ideal!
 
It’s new because it’s a bug in Private Relay. I’m not sure if you read the original post, but Private Relay leaks your real IP address when you log into a website. That’s not ideal!
well, japan always doing this to users. It's not new. They know what's going on. monitoring accounts. I had problems where I was warned for an account and all reviews are taken down. then after I asked the said sorry and took care of the issue wasn't me. Amazon has so many algorithms occurring through their site and their app. as long as my account is safe I can care less. There is no conspiracy..... I know what our saying nothing new here
 
  • Like
Reactions: hyperbolic
well, japan always doing this to users. It's not new. They know what's going on. monitoring accounts. I had problems where I was warned for an account and all reviews are taken down. then after I asked the said sorry and took care of the issue wasn't me. Amazon has so many algorithms occurring through their site and their app. as long as my account is safe I can care less. There is no conspiracy..... I know what our saying nothing new here

I see what you’re saying. I’m not saying there’s a conspiracy, I’m just saying there’s a huge bug in Apple Private Relay and I hope it’s fixed in iOS 16.2 next week.
 
It’s new because it’s a bug in Private Relay. I’m not sure if you read the original post, but Private Relay leaks your real IP address when you log into a website. That’s not ideal!
I see what you’re saying. I’m not saying there’s a conspiracy, I’m just saying there’s a huge bug in Apple Private Relay and I hope it’s fixed in iOS 16.2 next week.
I had mine go off early this morning with a warning. I do understand what you referring to. I am so used to it. I use a VPN etc. I saw this post saying here we go again. Apple and amazon don't like each other :p
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.