ExpressVPN Exposed User DNS Requests for Years Due to Windows Bug
ExpressVPN developers have issued a warning that they were forced to remove the split tunneling feature from their application. This decision comes after a bug was discovered that exposed the domains visited by users. The issue was identified by CNET staff and affected only the Windows versions of ExpressVPN (from 12.23.1 to 12.72.0), released between May 19, 2022, and February 7, 2024.
Who Was Affected?
The problem only impacted users who enabled the split tunneling feature. Split tunneling allows users to selectively route some of their internet traffic through the VPN tunnel while letting other traffic go outside the VPN, providing flexibility for those who need both local and secure remote access at the same time.
How the Vulnerability Worked
The vulnerability caused user DNS requests to be sent not to ExpressVPN’s infrastructure, as intended, but to the user’s internet service provider (ISP). Normally, all DNS requests are routed through ExpressVPN’s DNS server, which does not keep logs, preventing ISPs and other organizations from tracking which domains a user visits. Due to the bug, some DNS requests were sent to the DNS server specified in the user’s system (usually the ISP’s server), allowing the provider to monitor which websites the client visited.
In effect, this means that because of the DNS leak, Windows users of ExpressVPN with split tunneling enabled were exposing their entire browsing history to third parties.
“The bug allowed some of the user’s DNS requests to be sent to a third-party server, which in most cases was the internet provider. This allowed the provider to see which domains the user visited, such as google.com, although the provider still could not see individual web pages, search queries, or other user activity online. All user internet traffic content remained encrypted and inaccessible to the provider or any other third party,” ExpressVPN developers stated.
Scope and Resolution
ExpressVPN claims that the issue affected only about 1% of Windows users and could only be reproduced when split tunneling was enabled. Users running versions 12.23.1 to 12.72.0 are strongly advised to update their client to the latest version (12.73.0) as soon as possible. In this version, the split tunneling feature has been removed entirely. However, ExpressVPN says that the feature will return in the future once the bug is fixed.