ExpressVPN has informed its customers that a vulnerability in the latest version of its Windows app has exposed the DNS requests of a small subset of users to their internet service providers.
When the split tunneling feature was activated in version 12 of the ExpressVPN app for Windows, some DNS requests bypassed the VPN’s encrypted tunnel and were sent to third-party DNS servers, in this case, the users’ ISPs. Affected users inadvertently exposed their browsing history to their ISPs without realizing it and were also susceptible to man-in-the-middle attacks for an extended period.
The issue was discovered and reported to the VPN vendor by CNET’s writer Attila Tomaschek and impacts all versions released between 12.23.1 and 12.72.0. This means that the DNS leak problem persisted between May 19, 2022, and February 7, 2024, but it was unfortunately missed by all audits looking into the security and integrity of the Windows client.
Split tunneling is a feature that allows users to select which apps send traffic through the VPN and which connect directly to the internet. This feature is useful for accessing local network devices or optimizing performance for specific applications. However, DNS requests are never meant to be routed outside the product’s encrypted tunnels, so this was an oversight that might have undermined the privacy of ExpressVPN users.
The VPN provider reports that the issue affected a minimal portion of its clientele. Only approximately 1% of its Windows users utilize the split tunneling feature, thus limiting the impact to a small subset of its customer base. Despite the limited scope of the issue, the functionality has been temporarily disabled in the most recent app version, 12.73.0. This precautionary measure will remain in effect until ExpressVPN’s engineering team thoroughly investigates and resolves the matter.
Until then, users who need to continue using split tunneling may do so safely by downgrading to version 10, which isn’t impacted by the vulnerability. You can download this older client version from here. After activating split tunneling, validate that your DNS requests aren’t exposed to your ISP using DNS leak test tools.
Despite this lapse, ExpressVPN remains a top-rated product in the VPN market. It offers extensive platform support, a verified no-logs policy, satisfactory customer service, competitive performance, a rich selection of servers, and support for most streaming services. Check out our detailed review of ExpressVPN.
Update: ExpressVPN has fixed the issue
On February 21, 2024, ExpressVPN emailed RestorePrivacy to let us know the issue has been fixed:
The newest Windows releases (Version 12.74.0 and Version 10.51.0) are available now, and all Windows users are recommended to update their apps today. You can find the full release notes for both Version 12.74.0 and Version 10.51.0 here: https://www.expressvpn.com/support/vpn-setup/release-notes/windows-app/
If you’re interested in a more in-depth understanding of what happened throughout the investigation and building process, we’ve shared a blog post which describes the bugs, their roots causes and the fixes in detail. You can find the full blog post here: https://www.expressvpn.com/blog/split-tunneling-returns-to-all-windows-users/
Further reading:
- CyberGhost VPN for Windows Vulnerable to Command Injection
- VPN Tests – How to Check if Your VPN is Working in 2024
- CyberGhost VPN Client Vulnerable to Man-in-the-Middle Attacks
- Kape Technologies (Formerly Crossrider) Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites
dalet
this is most probably one of the effects of mass layoffs at express vpn.
DNS leak problem persisted between May 19, 2022, and February 7, 2024 and missed by all audits.
i am thinking about express vpn as my surfshark subscription is about to expire in April, good thing this is reported here at RP.
placebo
And just out of curiosity, what made you consider leaving Surfshark (for ExpressVPN)?
dalet
expressvpn was just one of my many options. I like surfshark but my online banking is always blocked if on vpn.
Placebo
Thanks for the info! I’ll check it out when I try Surfshark.