ExpressVPN bug has been leaking some DNS requests for years

Trending 1 week ago

Leaky faucet

ExpressVPN has removed nan divided tunneling characteristic from nan latest type of its package aft uncovering that a bug exposed nan domains users were visiting to configured DNS servers.

The bug was introduced successful ExpressVPN Windows versions 12.23.1 – 12.72.0, published betwixt May 19, 2022, and Feb. 7, 2024, and only affected those utilizing nan divided tunneling feature.

The divided tunneling characteristic allows users to selectively way immoderate net postulation successful and retired of nan VPN tunnel, providing elasticity to those needing some section entree and unafraid distant entree simultaneously.

A bug successful this characteristic caused DNS requests of users not to beryllium directed to ExpressVPN's infrastructure, arsenic they should, but to nan user's net work supplier (ISP).

Usually, each DNS requests are done done ExpressVPN's logless DNS server to forestall ISPs and different organizations from search nan domains a personification visits.

However, this bug caused immoderate DNS queries to beryllium sent to nan DNS server configured connected nan computer, usually a server astatine nan user's ISP, allowing nan server to way a user's browsing habits.

Having a DNS petition leak for illustration nan 1 disclosed by ExpressVPN intends that Windows users pinch progressive divided tunneling perchance expose their browsing history to 3rd parties, breaking a core promise of VPN products.

"When a personification is connected to ExpressVPN, their DNS requests are expected to beryllium sent to an ExpressVPN server," explains nan vendor's announcement.

"But nan bug allowed immoderate of those requests to spell alternatively to a third-party server, which successful astir cases would beryllium nan user's net work supplier aliases ISP."

"This lets nan ISP spot what domains are being visited by that user, specified arsenic google.com, though nan ISP still can't spot immoderate individual webpages, searches, aliases different online behavior."

"All contents of nan user's online postulation stay encrypted and unviewable by nan ISP aliases immoderate different 3rd party."

The rumor was discovered and reported to nan vendor by CNET's Attila Tomaschek and only occurs erstwhile nan divided tunneling mode is active.

ExpressVPN says nan rumor only impacted astir 1% of its Windows users, and nan institution could only replicate nan bug successful nan "Only let selected apps to usage nan VPN" split-tunneling mode.

Users of ExpressVPN versions 12.23.1 to 12.72.0 connected Windows should upgrade their customer to nan latest version, 12.73.0.

The latest type removes nan divided tunneling feature. However, ExpressVPN says they will re-introduce it successful a early merchandise erstwhile nan bug is fixed.

If upgrading is impossible, disabling divided tunneling should beryllium capable to forestall nan DNS petition leaks, arsenic nan bug couldn't beryllium replicated successful immoderate different mode.

If you perfectly request to usage divided tunneling, ExpressVPN recommends downloading and utilizing type 10, which isn't impacted by nan bug.