ExpressVPN User Data Exposed Due to Bug

ExpressVPN User data exposed due to bug.

ExpressVPN last week disabled split tunneling on its Windows clients to prevent an issue where DNS requests were not properly directed to its servers.

The issue, introduced in May 2022 in version 12.23.1 of ExpressVPN, resulted in DNS requests remaining unprotected in certain conditions, the VPN solutions provider announced.

Normally, when a user is connected to ExpressVPN, their DNS requests are sent to the company’s servers. 

Due to the bug, the requests were sent to a third party, typically the internet services provider (ISP), unless otherwise configured, which could determine the domain visited by the user but not individual pages or other behavior.

“All contents of the user’s traffic remain encrypted by the VPN and unviewable by the ISP or any other third party,” ExpressVPN explains.

How it happened

The bug impacted versions 12.23.1 through 12.72.0 of ExpressVPN for Windows if the split-tunneling feature was used and the ‘Only allow selected apps to use the VPN’ mode was enabled.

The split tunneling feature is meant to allow users to limit the applications that can send their traffic through the VPN solution.

According to ExpressVPN, the bug impacted less than 1% of its Windows users, given that the issue could not be reproduced without split tunneling activated or with split tunneling used in ‘Do not allow selected apps to use the VPN’ mode.

“No other VPN protections, such as encryption, were affected,” ExpressVPN explains.

Version 12.73.0 of ExpressVPN for Windows was rolled out last week to disable split tunneling entirely, and users are advised to upgrade their installations as soon as possible. The feature will remain disabled until the underlying issue is identified and addressed.

Users in urgent need of split tunneling may downgrade to version 10 of ExpressVPN for Windows, in which the feature functions as intended.

Related: Google announces enhanced fraud protection for Android users