If you’re using a Mac VPN and recently updated your device to Big Sur, your privacy may be at risk as it was discovered that Apple apps are able to bypass both firewalls and VPN services in the company’s latest version of macOS.
Twitter user mxswd first spotted the issue back in October and provided more details in a tweet which reads: “Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running”.
Security researcher at Jamf, Patrick Wardle confirmed that this was happening and explained in a comment that previous versions of macOS allowed a firewall or VPN to be set up using the Network Kernel Extension (kext).
According to Wardle, the Mac App Store in Big Sur is able to bypass any firewall set up by a user as its traffic is invisible to firewalls. This has serious security implications for organizations that have set up firewalls to prevent certain applications from using their corporate networks.
Bypassing firewalls and VPNs
The news outlet Apple Term wrote a story on this issue back in mid-October in order to bring attention to it ahead of Big Sur’s official release. However, in an update to its story, Apple Term explained that the issue still exists, saying:
“Since the original publication of this article, macOS Big Sur has exited beta and been released to the public. Despite this, there is no indication that Apple has changed its behavior.”
In a tweet, Wardle showed how cybercriminals could use malware to easily exploit the gap between Apple apps and user’s firewalls. By doing so, they could then send users’ personal data to remote servers which puts both their privacy and security at risk.
As of now, it’s still hard to understand why Apple would make its own apps exempt from firewalls and VPNs. Some believe that it is due to licensing issues while others think the company wants to keep data and traffic from its apps out of VPN servers.
Firewalls and VPNs are one of the many ways in which consumers and business users alike protect their privacy and security online, so hopefully Apple will address this issue soon. Until then though, it may be worth holding off on updating to Big Sur if you regularly use a VPN or firewall.