Little Snitch is a host machine firewall on MacOS. It is used to monitor egress network traffic. When an application on a system running Little Snitch makes a new, previously unseen connection, Little Snitch will present a pop-up asking the user if the connection should be permitted or not.
While testing this out, the authors noticed that Little Snitch only altered the user once any data was sent over the TCP connection. For instance, simply connecting via netcat, with no data being sent, would not trigger a notification.
Although this seems benign, data can be encoded via simply making a connection! In the proof of concept provided by the article, they encode bits using different ports on the host machine. This could also be done via DNS and other smuggling methods though.
This bug is unfixable (according to the developers) since the product must support domain-to-IP connection features. What's the point of an egress firewall if data can be smuggled out? I think this needs to be redesigned, honestly.