It has been reported that there is currently an unpatched security vulnerability affecting iOS 13.3.1 or later which prevents virtual private networks (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users’ data or leak their IP addresses.
While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN’s secure tunnel as ProtonVPN disclosed. This VPN bypass vulnerability (rated with a 5.3 CVSS v3.1 base score) and was disclosed by ProtonVPN to make users and other VPN providers aware of the issue.
This kind of bug could be a big concern for people who rely on VPN technology for privacy. In this scenario, users may falsely believe their secure tunnel is shielding all personal data from nearby observers, network administrators, and remote site operators. In this case however, it is possible for data to be sent underprotected or for a real IP address to show up in remote server logs. Many users specifically like using VPN for privacy while using untrusted networks such as the free WiFi found in places like cafes, convention centers, and airports. On this end, Apple may have caught something of a break as COVID-19 has largely shutdown most of these places iOS users are more likely to be using an untrusted network.
Employees using VPN to access corporate network resources as opposed to for anonymity would be less impacted but a clever attacker may still leverage this to spoof corporate resources. This is an example of why it is helpful to access sites via HTTPS even when the communication should already be protected by a VPN.