Security News > 2020 > March > Apple’s iOS 13.4 hit by VPN bypass vulnerability
Publicised by ProtonVPN, the issue is a bypass flaw caused by iOS not closing existing connections as it establishes a VPN tunnel, affecting iOS 13.3.1 as well as the latest version.
A VPN app should open a private connection to a dedicated server through which all internet traffic from the device is routed before being forwarded to the website or service someone is accessing.
In short, everything that starts after the VPN is loaded will be secure but everything before that moment might not be if it doesn't reset the connection of its own accord.
The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel.
We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it.
News URL
https://nakedsecurity.sophos.com/2020/03/30/apples-ios-13-4-hit-by-vpn-bypass-vulnerability/
Related news
- Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication (source)
- SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Global Pressure Mounts for Apple as Brazilian Court Demands iOS Sideloading Within 90 Days (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Cisco IOS XR vulnerability lets attackers crash BGP on routers (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices (source)
- Apple Rolls Out iOS 18.4 With New Languages, Emojis & Apple Intelligence in the EU (source)