Concept of leaky software, data with a tap sticking out

ExpressVPN has removed its split tunneling feature due to a bug leaking DNS requests from users that were being directed to third-party servers, instead of VPN-dedicated servers.

Discovered by Attila Tomaschek at CNET, the issue was found on ExpressVPN Windows Version 12 when split tunneling was active. This version of the app was first released in May 2022, meaning the bug may have been active for a few years.

ExpressVPN has responded with an announcement stating engineers have now deployed a fix and have temporarily disabled the split tunneling feature. It is believed that only 1% of users have been affected by the flaw, and it only occurred “in some cases” when using the specific split tunneling mode “Only allow selected apps to use the VPN.”

Split tunneling allows users to choose which devices or apps have traffic put through an encrypted VPN tunnel while the rest have a direct internet connection. Instead of being directed to ExpressVPN’s servers, DNS requests went to a third-party server.

“When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server,” the VPN provider states. “But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider, or ISP.”

ExpressVPN split tunneling feature
ExpressVPN split tunneling feature via ExpressVPN

This allowed the ISP to see the domains users were visiting, like google.com. However, ExpressVPN notes that a user’s online traffic is still encrypted and hidden from the ISP or any other third party, meaning they couldn’t see web pages or searches.

Other versions of the VPN app remain unaffected by the bug. ExpressVPN recommends users using Version 10 of the Windows app for anyone who wants to use split tunneling. The feature will return to Version 12 once the issue has been resolved.

Should you stop using ExpressVPN?

It’s important to note that the bug is known to have affected only a small number of users on Windows. Moreover, the bug only allowed the ISP to see domains, not specific websites or searches being done by the user.

Since the bug is now being fixed, and ExpressVPN quickly acted on the flaw, it’s still safe to use the VPN service. For more on what features ExpressVPN offers and its privacy and security measures, check out our thoughts in our ExpressVPN review. If you’re after something else, have a look through the best VPNs you can get right now.

Darragh Murphy
Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from the mischievous world of online security to washing machines designed for earbuds. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for laptops into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. When he's not checking out the latest devices and all things tech, he can be found swimming laps, watching terrible shark movies, and trying to find time to game.  Previous Editor at Laptop Mag and News Editor at Time Out Dubai, specialising in food culture, nightlife events, gaming, tech and entertainment.

LEAVE A REPLY

Please enter your comment!
Please enter your name here