Security researchers uncover a flaw in ExpressVPN’s Windows client, potentially exposing browsing activity for a small percentage of users.
A recent discovery by security researchers revealed a worrying bug in ExpressVPN‘s Windows client, potentially leaking sensitive DNS requests outside the encrypted VPN tunnel.
This means that, under specific circumstances, websites visited by affected users could be visible to their internet service provider (ISP). While the actual content of online activity remains encrypted, the knowledge of visited websites can still be intrusive and compromise anonymity.
Who Was Affected:
The vulnerability only affected users who had the “split tunneling” feature enabled in their ExpressVPN client. This feature allows users to choose which applications bypass the VPN connection while others remain protected. The issue reportedly impacted roughly 1% of ExpressVPN’s Windows user base.
Impact and Mitigation:
While the leak did not expose the actual content of online activity, it could still reveal browsing habits and potentially be used for targeted advertising or tracking. Thankfully, ExpressVPN swiftly addressed the issue by releasing a patched version (12.73.0) in January 2024. Users with split tunneling enabled are strongly advised to update their clients immediately.
Versions 12.23.1–12.72.0 of our Windows app, published between May 19, 2022, and Feb. 7, 2024, had a bug that allowed some users’ DNS requests to go unprotected when split tunneling was activated. In these instances, the apps that were supposed to use the VPN might, under some circumstances, send DNS requests to third-party DNS servers instead of our servers.
ExpressVPN
ExpressVPN’s Response:
ExpressVPN acknowledged the bug and emphasized its commitment to user privacy. The company also revealed that the bug was discovered and reported by CNET’s Attila Tomaschek.
They released a detailed explanation of the issue and the fix implemented, along with instructions on how to update the client. They also clarified that the vast majority of their users were not affected.
Lessons Learned:
This incident highlights the importance of keeping software, particularly security software, up-to-date. It also reinforces the need for careful consideration when using features like split tunneling, as they can introduce potential vulnerabilities. Users should be aware of the trade-offs involved and prioritize their privacy needs when configuring their VPN settings.
In Summary
- The bug was discovered and reported by CNET’s Attila Tomaschek.
- This was not a full-blown data leak, only DNS requests leaked in specific situations.
- The content of your online activity remained encrypted and protected.
- The issue only affected certain versions of the ExpressVPN client on Windows.
- The issue has been fixed and the vast majority of users were not affected.
RELATED TOPCIS
- How to Secure a Website by Monitoring DNS Records
- Almost Every Major Free VPN Service is a Glorified Data Farm
- New VPN Malvertising Attack Drops OpcJacker Crypto Stealer
- Google Incognito Mode: New Disclaimer Reveals Data Tracking
- Free VPN Service SuperVPN Exposes 360 Million User Records
- Chinese VPN app Quickfox caught exposing 1 million users’ data