Apple’s new macOS Big Sur has a new feature that allows many of its own apps to bypass firewalls and VPNs. This is a big concern as it could potentially open opportunities for malware to exploit access to personal/sensitive data stored on a user’s system and transmit to remote servers.
This issue was spotted a month ago during the beta version of the operating system. However, after Apple officially released the OS to the public on November 12th, the issue appears to be unchanged. This has caused concern from cyber security researchers and enthusiasts who are claiming that it is just waiting to be exploited.
The issue was originally found by a Twitter user named Maxwell, he tweeted “Some Apple apps bypass some network extensions and VPN Apps” “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”
The big concern here is that this issue can leave the system open to attack and the inability to limit or block traffic as the user wishes.
NEFilterDataProvider makes it possible to control network traffic either by opting to pass or block the data when it receives a new flow, or it can ask the system to see more of the flow’s data in either the outbound or inbound direction before making a pass or block decision.
Therefore, by disregarding NEFilterDataProvider, it makes it nearly impossible for VPNs to block Apple apps.
Examples have already been demonstrated of how an app could exploit this issue to extract sensitive data to a malicious actor’s server by only using a simple python script that jumps on the back of traffic going to an Apple app that is able to do so due to the firewall bypass.
Apple have not yet commented on this, but we can be sure it will be fixed in the near future. Until then, be sure to be aware of this.
