ExpressVPN exposes ...
 
Notifications
Clear all

ExpressVPN exposes user data due to a bug

1 Posts
1 Users
0 Reactions
192 Views
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

Do any of you use ExpressVPN? 

Last week, ExpressVPN took the step of disabling the split tunneling feature on its Windows clients. This decision came as a response to a discovered bug that prevented DNS requests from being correctly routed to ExpressVPN's servers. The flaw, first identified in version 12.23.1 released in May 2022, led to DNS requests being exposed under certain conditions, according to the VPN provider.

Under normal circumstances, ExpressVPN routes a user's DNS requests to its own servers, ensuring privacy and security. However, due to this bug, these requests were inadvertently sent to third-party entities, typically the user's Internet Service Provider (ISP). While this misrouting allowed ISPs to see which domains were being accessed, specific page visits and other detailed user activities remained protected by VPN encryption and were not accessible to the ISP or any external parties.

The issue was present in ExpressVPN versions ranging from 12.23.1 to 12.72.0 for Windows, specifically when the split tunneling feature was activated in the 'Only allow selected apps to use the VPN' mode. Split tunneling is a functionality designed to let users specify which applications transmit data through the VPN, offering flexibility in managing network traffic.

ExpressVPN noted that the bug affected a small fraction of its Windows user base — less than 1% — as it only manifested under the conditions involving active split tunneling or when using the feature in a specific mode.

To address the security concern, ExpressVPN released version 12.73.0 for Windows, which completely disables split tunneling. Users are urged to update their software to this latest version to avoid any potential exposure. The company has stated that the split tunneling feature will remain off until a solution for the bug is found and implemented.

For users who rely heavily on split tunneling, ExpressVPN suggests downgrading to version 10 of their Windows application, where the feature operates correctly. This temporary measure ensures that users can continue to enjoy the benefits of split tunneling while maintaining their online privacy and security.

https://www.expressvpn.com/support/troubleshooting/split-tunneling-not-available-in-version-12-of-windows-app/

 
Posted : 12/02/2024 11:32 am