ExpressVPN has eliminated the cut up tunneling function from the most recent model of its software program after discovering {that a} bug uncovered the domains customers have been visiting to configured DNS servers.
The bug was launched in ExpressVPN Home windows variations 12.23.1 – 12.72.0, revealed between Might 19, 2022, and Feb. 7, 2024, and solely affected these utilizing the cut up tunneling function.
The cut up tunneling function permits customers to selectively route some web site visitors out and in of the VPN tunnel, offering flexibility to these needing each native entry and safe distant entry concurrently.
A bug on this function triggered DNS requests of customers to not be directed to ExpressVPN’s infrastructure, as they need to, however to the person’s web service supplier (ISP).
Normally, all DNS requests are performed by means of ExpressVPN’s logless DNS server to stop ISPs and different organizations from monitoring the domains a person visits.
Nevertheless, this bug triggered some DNS queries to be despatched to the DNS server configured on the pc, often a server on the person’s ISP, permitting the server to trace a person’s looking habits.
Having a DNS request leak just like the one disclosed by ExpressVPN signifies that Home windows customers with lively cut up tunneling probably expose their looking historical past to 3rd events, breaking a core promise of VPN merchandise.
“When a person is linked to ExpressVPN, their DNS requests are alleged to be despatched to an ExpressVPN server,” explains the seller’s announcement.
“However the bug allowed a few of these requests to go as a substitute to a third-party server, which generally can be the person’s web service supplier or ISP.”
“This lets the ISP see what domains are being visited by that person, reminiscent of google.com, though the ISP nonetheless cannot see any particular person webpages, searches, or different on-line conduct.”
“All contents of the person’s on-line site visitors stay encrypted and unviewable by the ISP or every other third celebration.”
The difficulty was found and reported to the seller by CNET’s Attila Tomaschek and solely happens when the cut up tunneling mode is lively.
ExpressVPN says the problem solely impacted roughly 1% of its Home windows customers, and the corporate might solely replicate the bug within the “Solely permit chosen apps to make use of the VPN” split-tunneling mode.
Customers of ExpressVPN variations 12.23.1 to 12.72.0 on Home windows ought to improve their shopper to the most recent model, 12.73.0.
The most recent model removes the cut up tunneling function. Nevertheless, ExpressVPN says they’ll re-introduce it in a future launch when the bug is fastened.
If upgrading is unattainable, disabling cut up tunneling must be sufficient to stop the DNS request leaks, because the bug could not be replicated in every other mode.
For those who completely want to make use of cut up tunneling, ExpressVPN recommends downloading and utilizing model 10, which is not impacted by the bug.
