The unpatched security vulnerability affecting in iOS 13.3.1 or later blocks virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses.
According to ProtonVPN, while connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel.
Apparently, the software genii thought it was not important to terminate existing internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established.
But what apparently they were not aware of was that some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
“During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks.”
Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN", the report adds.