ExpressVPN has made the decision to remove the split tunneling feature from its latest software version due to the discovery of a bug that exposed users’ visited domains to configured DNS servers.
This bug affected ExpressVPN Windows versions 12.23.1 to 12.72.0, released between May 19, 2022, and February 7, 2024, and specifically impacted users utilizing the split tunneling feature.
Split tunneling allows users to selectively route internet traffic in and out of the VPN tunnel, providing flexibility for simultaneous local and secure remote access.
However, a flaw in this feature caused DNS requests not to be directed to ExpressVPN’s infrastructure as intended but instead to the user’s internet service provider (ISP).
Typically, all DNS requests are routed through ExpressVPN’s logless DNS server to prevent tracking by ISPs and other entities. However, this bug resulted in some DNS queries being sent to the user’s configured DNS server, often their ISP’s server, enabling the tracking of browsing habits.
This DNS request leak, as disclosed by ExpressVPN, potentially exposes the browsing history of Windows users with active split tunneling to third parties, compromising a fundamental promise of VPN products.
ExpressVPN clarified that while the bug allowed ISPs to see visited domains such as google.com, the encrypted contents of the user’s online traffic remain inaccessible to ISPs or other third parties.
The issue was identified and reported to ExpressVPN by CNET’s Attila Tomaschek and is only observed when split tunneling mode is enabled.
ExpressVPN stated that approximately 1% of its Windows users were affected by this issue, with the bug replicating only in the “Only allow selected apps to use the VPN” split tunneling mode.
Users of ExpressVPN versions 12.23.1 to 12.72.0 on Windows are advised to update their client to the latest version, 12.73.0, which removes the split tunneling feature. However, the company plans to reintroduce it in a future release once the bug is resolved.
For those unable to upgrade, disabling split tunneling should prevent DNS request leaks, as the bug does not manifest in other modes.
For users requiring split tunneling functionality, ExpressVPN recommends downloading and using version 10, which remains unaffected by the bug.
