An iOS bug does not hide existing Internet connections once VPN is enabled, according to a researcher. An iOS VPN leaks user data due to an issue disclosed to Apple about two years ago, a researcher has claimed.

As a result of the unpatched security vulnerability, iOS handsets do not completely route all network traffic through VPN apps as they should and some data leaves the device outside of the VPN tunnel. In 2020, ProtonVPN disclosed this flaw to Apple, but the company hasn't yet patched it, according to the researcher.

In a blog post, researcher Michael Horowitz claimed VPN apps on iOS appear to work fine at first, i.e., the iOS device receives a new public IP address and DNS servers. In a detailed examination of data leaving the iOS device, the researcher says the VPN tunnel leaks data. The iOS device leaves the VPN tunnel outside of which data is sent. The leak isn't a classic or legacy DNS leak, it's a data leak," Horowitz said.

In order to encrypt traffic, VPNs are used. It will give the device a new IP address, DNS servers, and a tunnel for new traffic after it is enabled, by shutting down existing Internet connections and establishing them through the VPN tunnel. iOS, however, has a bug that prevents it from hiding all existing Internet connections and/or leaks data outside the VPN tunnel, resulting in some serious security concerns.

Imagine you are driving a red car, and anyone can follow you on a helicopter if they are following you in a movie. The helicopter cannot see you after you enter a tunnel, and you emerge with a white car that conceals your identity. A flaw in that cloak could, however, allow trackers to identify you if it gives away information. Response from Apple has yet to be received, and we have reached out for comment.

In addition, the researcher claims to have confirmed this data leak by using various VPN types and software from various VPN providers. Using iOS 15.6, he tested it. At the time, iPhone models ran iOS v13, and when ProtonVPN first reported the issue, Apple had not yet fixed the problem.

It has been reported that Apple has not yet fully fixed the problem.It is disappointing to say the least that this continues to be an issue, according to Proton CEO Andy Yen. Apple was first notified of this issue two years ago. The vulnerability was disclosed to protect the public since Apple refused to fix the issue.

The security of millions of people depends on Apple, and they are the only ones who can fix it. However, given Apple's lack of action for the past two years, we are not optimistic they will do the right thing."