ExpressVPN has recently identified a critical bug in its software that compromised user privacy by exposing the domains visited to configured DNS servers. This bug specifically affected Windows versions 12.23.1 to 12.72.0, published between May 19, 2022, and February 7, 2024, and impacted users utilizing the split tunneling feature. Split tunneling allows users to selectively route internet traffic, but due to the bug, DNS requests were directed to the user’s ISP rather than ExpressVPN’s servers, potentially exposing browsing habits. This leak, reported by CNET’s Attila Tomaschek, could lead to ISPs tracking user activity, breaching the fundamental promise of VPN services to protect user privacy.
ExpressVPN promptly addressed the issue by removing the split tunneling feature from its latest version and advising affected users to upgrade to version 12.73.0. The company emphasized the importance of this upgrade to mitigate the vulnerability and restore user privacy. Additionally, ExpressVPN assured users that all online traffic remained encrypted and inaccessible to ISPs or any third parties, except for the leaked DNS requests.
Approximately 1% of ExpressVPN’s Windows users were impacted by this bug, mainly occurring in the “Only allow selected apps to use the VPN” split-tunneling mode. However, for those unable to upgrade immediately, ExpressVPN provided a temporary solution by recommending the disabling of split tunneling to prevent DNS request leaks. Furthermore, users requiring split tunneling functionality were advised to download and utilize version 10, which remained unaffected by the bug until a fix could be implemented and split tunneling reintroduced in a future release.