In a decisive move to protect user privacy, ExpressVPN has temporarily removed the split tunneling feature from its Windows application. This decision came after the discovery of a bug that inadvertently exposed users’ domain visits to their ISPs, a significant breach of privacy expectations tied to VPN use. The flaw affected versions 12.23.1 to 12.72.0 of the ExpressVPN Windows app, released between May 19, 2022, and February 7, 2024, impacting users who utilized the split tunneling feature.
Split tunneling, a popular VPN feature, allows users to route some of their internet traffic outside the VPN tunnel while keeping other traffic secure. This capability is crucial for users needing simultaneous access to local and remote resources. However, a bug within this function led to DNS requests—intended to be securely managed within ExpressVPN’s infrastructure—being sent to ISPs instead. Normally, ExpressVPN routes DNS requests through its own logless DNS servers to prevent tracking by ISPs or other entities. This bug thus undermined a core privacy guarantee by allowing ISPs to log the domains visited by users.
The issue was particularly problematic for users with the “Only allow selected apps to use the VPN” mode enabled, with ExpressVPN estimating that about 1% of its Windows users were affected. The company could replicate the bug exclusively in this specific split tunneling mode.
Upon discovery, detailed by CNET’s Attila Tomaschek, ExpressVPN acted swiftly to mitigate the issue by advising users of the impacted versions to upgrade to the latest version (12.73.0), which omits the split tunneling feature. ExpressVPN reassures that this is a temporary measure and plans to reintroduce split tunneling once the bug is resolved. For users unable to upgrade, disabling split tunneling is recommended as a sufficient precaution against this privacy leak. Additionally, for those who require split tunneling, downloading and using version 10 of the app, which remains unaffected by the bug, is advised.
This incident shines a spotlight on the continuous challenge VPN providers face in ensuring user privacy and security. ExpressVPN’s prompt response and transparent communication about the issue underscore their commitment to user privacy. It also serves as a reminder of the importance of regular software updates and the need for users to stay informed about the security status of their VPN service.
For users seeking VPNs with robust DNS leak protection and a commitment to privacy, exploring options with these specific features is more crucial than ever. In light of this event, the best VPN with DNS Leak Protection offers insights into secure and reliable VPN services that prioritize user privacy above all.
ExpressVPN’s handling of this incident—through immediate action and clear communication—demonstrates the importance of trust and transparency in the VPN industry. As digital privacy continues to be a paramount concern, users must remain vigilant and proactive in safeguarding their online presence.