ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers.
The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature.
The split tunneling feature allows users to selectively route some internet traffic in and out of the VPN tunnel, providing flexibility to those needing both local access and secure remote access simultaneously.
A bug in this feature caused DNS requests of users not to be directed to ExpressVPN’s infrastructure, as they should, but to the user’s internet service provider (ISP).
Usually, all DNS requests are done through ExpressVPN’s logless DNS server to prevent ISPs and other organizations from tracking the domains a user visits.
However, this bug caused some DNS queries to be sent to the DNS server configured on the computer, usually a server at the user’s ISP, allowing the server to track a user’s browsing habits.
Having a DNS request leak like the one disclosed by ExpressVPN means that Windows users with active split tunneling potentially expose their browsing history to third parties, breaking a core promise of VPN products.
“When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server,” explains the vendor’s announcement.
“But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider or ISP.”
“This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior.”
“All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.”
The issue was discovered and reported to the vendor by CNET’s Attila Tomaschek and only occurs when the split tunneling mode is active.
ExpressVPN says the issue only impacted roughly 1% of its Windows users, and the company could only replicate the bug in the “Only allow selected apps to use the VPN” split-tunneling mode.
Users of ExpressVPN versions 12.23.1 to 12.72.0 on Windows should upgrade their client to the latest version, 12.73.0.
The latest version removes the split tunneling feature. However, ExpressVPN says they will re-introduce it in a future release when the bug is fixed.
If upgrading is impossible, disabling split tunneling should be enough to prevent the DNS request leaks, as the bug couldn’t be replicated in any other mode.
If you absolutely need to use split tunneling, ExpressVPN recommends downloading and using version 10, which isn’t impacted by the bug.