Apple nixes feature that let apps bypass VPN

A Big Sur beta privacy upgrade closes a loophole on MacOS app security.

Rae Hodge Former senior editor

Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.

See full bio

Rae Hodge

Jan. 15, 2021 2:15 p.m. PT

2 min read

Following rising concerns from security researchers, Apple reportedly removed a controversial MacOS feature in Big Sur 11.2 beta 2 on Thursday. Discovered during Big Sur 11.2's first beta release, the feature allowed 53 of Apple's own apps to bypass security firewalls and virtual private networks, according to CNET's sister ZDNet.

Researchers argued that the feature, called the Content Filter Exclusion List, could have allowed malware attacks through unguarded entry points and could have compromised users' identities. The list contained 53 of Apple's own apps whose incoming and outgoing internet-connected data traffic were allowed to bypass security tools such as third-party firewalls and VPNs . That list of apps included some of the most popular -- App Store, Maps, and iCloud among them.

Apple told ZDNet the list was temporary, and an Apple software engineer later said the list was the result of a series of bugs in Apple apps that have since been fixed. Once Big Sur 11.2 is released, Apple said, all Apple apps will once again be subject to firewalls and security tools, and they'll be compatible with VPN apps.

The feature's vulnerability was first discovered by a Big Sur 11.2 beta 1 user in October.

Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒
— Maxwell (@mxswd) October 19, 2020

The security loophole remained open even after the product exited its first beta phase, and was noted again on Twitter by security researcher Patrick Wardle.

In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020

A handful of standalone commercial VPN apps, such as Proton VPN and Mullvad, claim to have not been previously affected by the feature. Others, like Hide.Me, have offered their users instructions on potential workarounds.

Apple did not immediately respond to CNET's request for comment.

Watch this: Top 5 Reasons to Use a VPN

02:42

CNET VPN Coverage

VPN Use Cases

VPN Reviews - Our Top Picks

VPN Reviews - Other Services

Streaming with VPN

VPN Education

VPN Coupons