Security News > 2022 > August > Two years on, Apple iOS VPNs still leak IP addresses

Apple has left a VPN bypass vulnerability in iOS unfixed for at least two years, leaving identifying IP traffic data exposed, and there's no sign of a fix.

Earlier this year, Michael Horowitz, a veteran software developer and consultant, revisited the situation and found that VPNs on iOS are still vulnerable and leaking data.

"VPNs on iOS are broken," he wrote in an August 5 update to a May 25 post titled "VPNs on iOS are a scam." "At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server."

Then ten days ago, Horowitz updated his post to confirm that iOS 15.6 - Apple's latest iOS release if you don't could the 15.6.1 update that went out yesterday to patch two zero-day bugs - is still vulnerable.

What's more, Horowitz says that Yegor Sak, the co-founder of VPN service Windscribe, got in touch to say his company is aware of the data leak and has submitted multiple reports to Apple.

When security firm Sophos noted ProtonMail's post back in March 2020, author John Dunn observed, "At least Apple knows about the issue." Two and a half years on, Apple's awareness looks indistinguishable from ignorance.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/19/apple_ios_vpn/