ExpressVPN has temporarily removed split tunneling from the latest version of its Windows app due to a bug that exposes the domains users visit to their internet service provider (ISP) and possibly other third parties.
In a statement on Thursday, Jan. 8, ExpressVPN said the issue only occurs in some cases when users select “Only allow selected apps to use the VPN” in split tunneling mode. While the company believes the issue affects less than one percent of its users, ExpressVPN has released an update, disabling split tunneling until the bug is resolved.
ExpressVPN’s split tunneling feature, which allows users to route their internet traffic outside of the VPN tunnel selectively, mistakenly redirected DNS (Domain Name Server) requests to users’ ISPs instead of ExpressVPN’s encrypted servers, the company explained.
The flaw affects versions 12.23.1 to 12.72.0 of ExpressVPN’s app for Windows. ExpressVPN said VPN expert and CNET writer Attila Tomaschek notified the company about the issue, and it’s taking steps to mitigate the risks and fix the bug.
What Are the Risks of DNS Leaks?
DNS leaks compromise users’ privacy and go against the very reason for using a VPN — i.e., to cloak your online activities from external surveillance.
If you’re using the affected ExpressVPN apps, there’s a good chance that your ISP can see the domains you’re visiting. However, they can’t see what you’re doing on these sites as your internet traffic is encrypted.
Still, DNS leaks can compromise users’ anonymity and privacy. With access to users’ DNS requests, ISPs and other third parties can build a profile of the user’s online behavior and interests. This could be used for targeted advertising or, in the worst-case scenario, for more nefarious purposes like social engineering attacks.
DNS leaks can also put users at the wrong end of the law in countries with strict internet monitoring and censorship.
Here’s What You Can Do Now
ExpressVPN urged users to update to Version 12.73.0 “while engineers investigate and fix the problem.”
If your ExpressVPN app hasn’t notified you that a new update is available, we recommend manually updating to the most recent version.
If you need to use split tunneling, ExpressVPN recommends opting for version 10 of its app, which is unaffected by the bug and available for download on the provider’s Windows app versions page.
ExpressVPN is a beginner-friendly tool that consistently ranks in our top five best VPNs. It’s incredibly easy to use and has some much-needed privacy features. Despite this DNS leak, ExpressVPN is still a great choice.
Worried your VPN connection is leaking data? Check out our VPN leak test guide to learn how to test your connection for data leaks.
For more news, follow us on X (Twitter), Threads, and Mastodon!
