ExpressVPN Removes Split Tunneling Feature Over DNS Leak
In a recent development, ExpressVPN has taken action to address a critical flaw in its software, prompting the removal of the split tunneling feature from its latest version. The decision came after the discovery of a bug that inadvertently exposed users’ visited domains to configured DNS servers. The vulnerability, present in ExpressVPN Windows versions 12.23.1 – 12.72.0, released between May 19, 2022, and Feb. 7, 2024, primarily affected users utilizing the split tunneling feature.
Split tunneling, a feature allowing users to selectively route internet traffic in and out of the VPN tunnel, provides flexibility for those requiring simultaneous access to local and remote resources securely. However, a flaw in this feature led to DNS requests bypassing ExpressVPN’s infrastructure and being directed to users’ internet service providers (ISPs) instead. This diversion enabled ISPs to potentially track users’ browsing habits, compromising the privacy and security promised by VPN products.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
ExpressVPN, acknowledging the severity of the issue, addressed the concern after it was reported by CNET’s Attila Tomaschek. The company noted that the bug affected approximately 1% of its Windows users, particularly those utilizing the “Only allow selected apps to use the VPN” split-tunneling mode. Users of affected versions are advised to upgrade to the latest version, 12.73.0, which removes the split tunneling feature altogether.
Trending: Jeff Foley – OWASP Amass Founder
Trending: Recon Tool: go-dork