Apple removes feature that allowed its apps to bypass MacOS firewalls and VPNs

The ContentFilterExclusionList has been removed in macOS 11.2 beta 2.
Written by Catalin Cimpanu, Contributor
Image: Markus Spiske

Apple has removed a controversial feature from the MacOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection.

Known as the ContentFilterExclusionList, the list was included in MacOS 11, also known as Big Sur.

The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist.

Image: Simone Margaritelli

Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications.

Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software.

Besides security pros, the exclusion list was widely panned by privacy experts alike, since MacOS users also risked exposing their real IP address and location when using Apple apps, as VPN products wouldn't be able to mask users' location.

Apple said it was temporary

Contacted for comment at the time, Apple told ZDNet the list was temporary but did not provide any details. An Apple software engineer later told ZDNet the list was the result of a series of bugs in Apple apps, rather than anything nefarious from the Cupertino-based company.

The bugs were related to Apple deprecating network kernel extensions (NKEs) in Big Sur and introducing a new system called Network Extension Framework, and Apple engineers not having enough time to iron out all the bugs before the Big Sur launch last fall.

But some of these bugs have been slowly fixed in the meantime, and, yesterday, with the release of MacOS Big Sur 11.2 beta 2, Apple has felt it was safe to remove the ContentFilterExclusionList from the OS code (as spotted by Wardle earlier today).

Once Big Sur 11.2 is released, all Apple apps will once again be subject to firewalls and security tools, and they'll be compatible with VPN apps.

The Mac malware most likely to attack your PC this year

Editorial standards