Apple nixes feature that let apps bypass VPN
Following rising concerns from security researchers, Apple reportedly removed a controversial MacOS feature in 11.2 beta 2 on Thursday. Discovered during Big Sur 11.2’s first beta release, the feature allowed 53 of Apple’s own apps to bypass security firewalls and , according to CNET’s sister ZDNet.
Researchers argued that the feature, called the Content Filter Exclusion List, could have allowed malware attacks through unguarded entry points and could have compromised users’ identities. The list contained 53 of Apple’s own apps whose incoming and outgoing internet-connected data traffic were allowed to bypass security tools such as third-party firewalls and VPNs. That list of apps included some of the most popular — App Store, Maps, and iCloud among them.
Apple told ZDNet the list was temporary, and an Apple software engineer later said the list was the result of a series of bugs in Apple apps that have since been fixed. Once Big Sur 11.2 is released, Apple said, all Apple apps will once again be subject to firewalls and security tools, and they’ll be compatible with VPN apps.
The feature’s vulnerability was first discovered by a Big Sur 11.2 beta 1 user in October.
The security loophole remained open even after the product exited its first beta phase, and was noted again on Twitter by security researcher Patrick Wardle.
A handful of standalone commercial VPN apps, such as Proton VPN and Mullvad, claim to have not been previously affected by the feature. Others, like Hide.Me, have offered their users instructions on potential workarounds.
Apple did not immediately respond to CNET’s request for comment.