Security News > 2020 > March > Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers
Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device's IP address, exposing it for a limited window of time.
"Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel," researchers explained in a technical analysis of the flaw.
iOS apps are required to use App Transport Security which protect transmitted data via HTTPS. That said, researchers warn the VPN bypass bug's biggest threat is potentially revealing a device's IP address.
A patch for the VPN bypass flaw was not one of them, though the company did repair a serious flaw in the WebKit for iOS and Safari that could enable remote code execution.
In the meantime, ProtonVPN offered some practical advice for mitigating the iOS VPN bypass vulnerability while it remains unpatched.
News URL
https://threatpost.com/apple-unpatched-vpn-bypass-bug-impacts-ios-13-warn-researchers/154232/
Related news
- Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (source)
- Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution (source)
- Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques (source)
- Apple plugs security hole in its iThings that's already been exploited in iOS (source)