MacOS bypassing VPNs and leaking traffic after update, report reveals


Security analytics at Mullvad have discovered scenarios when the macOS firewall does not seem to function correctly and disregards rules. Many users seem angry about their settings disappearing after updates.

Researchers warn that VPN users can be leaking traffic on macOS after system updates.

“In this scenario the macOS firewall does not seem to function correctly and is disregarding firewall rules. Most traffic will still go inside the VPN tunnel since the routing table specifies that it should. Unfortunately, apps are not required to respect the routing table and can send traffic outside the tunnel if they try to,” Mullvad said in a blog post

ADVERTISEMENT

Some of Apple’s own apps and services bypass the VPN and this issue started with macOS 14.6 and was fixed in a recent 15.1 beta.

“To our current knowledge, a reboot resolves it. We are currently investigating this and will follow up with more information,” the blog post reads.

“We’ve reported this to Apple and hopefully we’ll see a fix in the near future.”

Users can check if they’re affected by adding a firewall rule that blocks all traffic, and then sending a request. If the request still goes through, the traffic is leaking.

Another method involves testing the VPN app. First, users should ensure they’re not connected to a VPN, then find their default network interface (WiFi, Ethernet, or other). Then they should connect to a VPN server and attempt to connect to a remote server by sending requests through the original network interface. Again, if they get a response, their traffic is leaking. Mullvad listed commands for these steps in a blog post.

Users on the Hacker News server shared more issues affecting MacOS after updates.

“Every time I update macOS, some of the system settings are changed to default including some in the firewall. And I have to painstakingly go through all of it and change it,” one user lamented.

This can lead to more permissive firewall rules and introduce risks.

ADVERTISEMENT

Another user said Macs were launching apps and playing audio/video content audio in browser tabs even before logging in.

“Even though I had disabled all 'restore' applications features, macOS sometimes decides to 'start' browsers BEFORE logging in after a restart AND those start auto-playing audio from whatever was paused before the reboot (or many days before),” another user said.

Other complaints included macOS launching a “bunch of apps” after update, even though they were not open before updating, or losing configuration data. Mac users often recommend rebooting Apple devices once again after updates, as issues can arise when the computer starts up for the first time.

Cybernews has reached out to Apple and will update the story with their response.