I logged into Amazon.com today using Safari with Private Relay turned ON over a cellular (XFinity Mobile connection — they use Verizon as the underlying carrier). However, despite the fact I have Private Relay turned ON and despite the fact that I confirmed that my real IP address is NOT being leaked (using browserleaks.com/ip), SOMEHOW AMAZON.COM WAS ABLE TO DETECT MY REAL (CELLULAR) IP ADDRESS.
The way I discovered this was that I have 2-factor authentication set up on my Amazon.com account wherein Amazon sends me an SMS text message that provides a link for me to click, which takes me to an authorization webpage. This webpage asks you to confirm the login attempt. The page provides the IP address that the login attempt was made from and it displays your current IP address (of course you want those to match, and they did in my case). HOWEVER, AMAZON DISPLAYED MY REAL IP ADDRESS, NOT THE PRIVATE RELAY ADDRESS.
THIS IS A SERIOUS PROBLEM. How can Amazon.com POSSIBLY figure out my real IP address when in fact:
1. I have Private Relay turned ON for both WiFi and Cellular (I’m on cellular with WiFi turned OFF).
2. My Cellular carrier is NOT blocking Private Relay.
3. I do NOT have a DNS Override configured using a Profile (i.e. I don’t have a custom encrypted DoH or DoT DNS resolver configured).
4. I’m using Safari to log in to Amazon.com
5. I see NO error messages telling me Private Relay is not functioning.
6. I used browserleaks.com to confirm that my real IP address is NOT leaking and that my DNS resolvers are all Private Relay based resolvers using the browser leaks DNS server detection.
7. I’m on the latest version of iOS (15.6.1, iPhone 8 Plus, which makes this finding even more unfortunate).
HOW IS AMAZON POSSIBLY OBTAINING MY REAL IP ADDRESS? THIS SIMPLE FIND TODAY ESSENTIALLY TELLS ME THAT PRIVATE RELAY CANNOT BE TRUSTED. PERIOD.
Try it yourself if you don’t believe me. Follow the steps above and 2-factor login to your Amazon.com account. You’ll see your real IP address is exposed. This fundamentally means that essentially every website a person visits using Private Relay is able to obtain your REAL IP ADDRESS. And I’m on the latest version of iOS too (15.6.1, iPhone 8 Plus).
Now, Apple DOES state in their Private Relay documentation that SMS text traffic does NOT go through Private Relay. However, that DOES NOT MATTER IN THIS CASE, AND SHOULD NOT MATTER WHEN IT COMES TO A WEBSITE IN SAFARI BEING ABLE TO DETECT YOUR REAL IP ADDRESS.
Like I mentioned, Amazon 2-factor auth SMS text messaged ME a message containing a hyperlink to click in order to authenticate my login in Safari. There’s NO POSSIBLE WAY that Amazon nor any other remote user can determine a persons Cellular IP Address by merely sending that person a text message. In fact, there’s NO WAY that even the receiver of an SMS text message can possibly detect the IP Address of the sender. The CELLULAR PROVIDER MIGHT have access to both IP addresses if both users use the same cellular provider, but even then I doubt that’s happening because there’s probably an intermediary server that handles the SMS routing. EITHER WAY, there’s NO WAY the Cellular provider is giving either the receiver or sender the other side’s IP Address.
In conclusion,
1. I would very much appreciate if someone would confirm my findings. My phone is not jailbroken, nor is it a Managed Device, nor do I have any Cellular “firewall” settings turned ON my cellular account that would prevent Private Relay from working, ESPECIALLY in Safari, and even then, Apple indicates that it will clearly present an error to the user if Private Relay is not functioning in this specific case.
2. If Amazon.com can determine one’s real IP Address that’s a SIMPLE PROOF that Private Relay CANNOT BE TRUSTED TO WORK on ANY website, especially Amazon and Google (two of the “biggies”).
3. If anyone know HOW Amazon is successfully determine my REAL (cellular) IP Address with Private Relay turned ON, please do let me know. In fact please let the world know, because this is inexcusable especially considering Apple has sent out numerous “zero-day” emergency iOS updates in the past ~THREE years. In a lot of these cases, the attacker not only had access to the users iPhone and iCloud, but FULL ACCESS and even FULL REMOTE CONTROL of the LOCAL device! This is absolutely INEXCUSABLE. It’s inexcusable that it FULL REMOTE ACCESSES has happened even ONCE. It’s beyond belief that iOS has essentially been prone to FULL ACCESS REMOTE CONTROL for YEARS now, and I have nearly zero confidence that the latest iOS 15.6.1 released fundamentally fixed this situation.
WHAT IS UP WITH YOU APPLE??? I’m a proud 25+ year user of Apple products, but this is nearly the last straw.
The way I discovered this was that I have 2-factor authentication set up on my Amazon.com account wherein Amazon sends me an SMS text message that provides a link for me to click, which takes me to an authorization webpage. This webpage asks you to confirm the login attempt. The page provides the IP address that the login attempt was made from and it displays your current IP address (of course you want those to match, and they did in my case). HOWEVER, AMAZON DISPLAYED MY REAL IP ADDRESS, NOT THE PRIVATE RELAY ADDRESS.
THIS IS A SERIOUS PROBLEM. How can Amazon.com POSSIBLY figure out my real IP address when in fact:
1. I have Private Relay turned ON for both WiFi and Cellular (I’m on cellular with WiFi turned OFF).
2. My Cellular carrier is NOT blocking Private Relay.
3. I do NOT have a DNS Override configured using a Profile (i.e. I don’t have a custom encrypted DoH or DoT DNS resolver configured).
4. I’m using Safari to log in to Amazon.com
5. I see NO error messages telling me Private Relay is not functioning.
6. I used browserleaks.com to confirm that my real IP address is NOT leaking and that my DNS resolvers are all Private Relay based resolvers using the browser leaks DNS server detection.
7. I’m on the latest version of iOS (15.6.1, iPhone 8 Plus, which makes this finding even more unfortunate).
HOW IS AMAZON POSSIBLY OBTAINING MY REAL IP ADDRESS? THIS SIMPLE FIND TODAY ESSENTIALLY TELLS ME THAT PRIVATE RELAY CANNOT BE TRUSTED. PERIOD.
Try it yourself if you don’t believe me. Follow the steps above and 2-factor login to your Amazon.com account. You’ll see your real IP address is exposed. This fundamentally means that essentially every website a person visits using Private Relay is able to obtain your REAL IP ADDRESS. And I’m on the latest version of iOS too (15.6.1, iPhone 8 Plus).
Now, Apple DOES state in their Private Relay documentation that SMS text traffic does NOT go through Private Relay. However, that DOES NOT MATTER IN THIS CASE, AND SHOULD NOT MATTER WHEN IT COMES TO A WEBSITE IN SAFARI BEING ABLE TO DETECT YOUR REAL IP ADDRESS.
Like I mentioned, Amazon 2-factor auth SMS text messaged ME a message containing a hyperlink to click in order to authenticate my login in Safari. There’s NO POSSIBLE WAY that Amazon nor any other remote user can determine a persons Cellular IP Address by merely sending that person a text message. In fact, there’s NO WAY that even the receiver of an SMS text message can possibly detect the IP Address of the sender. The CELLULAR PROVIDER MIGHT have access to both IP addresses if both users use the same cellular provider, but even then I doubt that’s happening because there’s probably an intermediary server that handles the SMS routing. EITHER WAY, there’s NO WAY the Cellular provider is giving either the receiver or sender the other side’s IP Address.
In conclusion,
1. I would very much appreciate if someone would confirm my findings. My phone is not jailbroken, nor is it a Managed Device, nor do I have any Cellular “firewall” settings turned ON my cellular account that would prevent Private Relay from working, ESPECIALLY in Safari, and even then, Apple indicates that it will clearly present an error to the user if Private Relay is not functioning in this specific case.
2. If Amazon.com can determine one’s real IP Address that’s a SIMPLE PROOF that Private Relay CANNOT BE TRUSTED TO WORK on ANY website, especially Amazon and Google (two of the “biggies”).
3. If anyone know HOW Amazon is successfully determine my REAL (cellular) IP Address with Private Relay turned ON, please do let me know. In fact please let the world know, because this is inexcusable especially considering Apple has sent out numerous “zero-day” emergency iOS updates in the past ~THREE years. In a lot of these cases, the attacker not only had access to the users iPhone and iCloud, but FULL ACCESS and even FULL REMOTE CONTROL of the LOCAL device! This is absolutely INEXCUSABLE. It’s inexcusable that it FULL REMOTE ACCESSES has happened even ONCE. It’s beyond belief that iOS has essentially been prone to FULL ACCESS REMOTE CONTROL for YEARS now, and I have nearly zero confidence that the latest iOS 15.6.1 released fundamentally fixed this situation.
WHAT IS UP WITH YOU APPLE??? I’m a proud 25+ year user of Apple products, but this is nearly the last straw.
