BOOK THIS SPACE FOR AD
ARTICLE ADSecurity researchers uncover a flaw in ExpressVPN’s Windows client, potentially exposing browsing activity for a small percentage of users.
A recent discovery by security researchers revealed a worrying bug in ExpressVPN‘s Windows client, potentially leaking sensitive DNS requests outside the encrypted VPN tunnel.
This means that, under specific circumstances, websites visited by affected users could be visible to their internet service provider (ISP). While the actual content of online activity remains encrypted, the knowledge of visited websites can still be intrusive and compromise anonymity.
Who Was Affected:
The vulnerability only affected users who had the “split tunneling” feature enabled in their ExpressVPN client. This feature allows users to choose which applications bypass the VPN connection while others remain protected. The issue reportedly impacted roughly 1% of ExpressVPN’s Windows user base.
Impact and Mitigation:
While the leak did not expose the actual content of online activity, it could still reveal browsing habits and potentially be used for targeted advertising or tracking. Thankfully, ExpressVPN swiftly addressed the issue by releasing a patched version (12.73.0) in January 2024. Users with split tunneling enabled are strongly advised to update their clients immediately.
Versions 12.23.1–12.72.0 of our Windows app, published between May 19, 2022, and Feb. 7, 2024, had a bug that allowed some users’ DNS requests to go unprotected when split tunneling was activated. In these instances, the apps that were supposed to use the VPN might, under some circumstances, send DNS requests to third-party DNS servers instead of our servers.
ExpressVPNExpressVPN’s Response:
ExpressVPN acknowledged the bug and emphasized its commitment to user privacy. The company also revealed that the bug was discovered and reported by CNET’s Attila Tomaschek.
They released a detailed explanation of the issue and the fix implemented, along with instructions on how to update the client. They also clarified that the vast majority of their users were not affected.
Lessons Learned:
This incident highlights the importance of keeping software, particularly security software, up-to-date. It also reinforces the need for careful consideration when using features like split tunneling, as they can introduce potential vulnerabilities. Users should be aware of the trade-offs involved and prioritize their privacy needs when configuring their VPN settings.