ExpressVPN has temporarily disabled its split-tunneling feature for a certain set of users to fix a bug that’s been exposing its users’ DNS requests.
After being tipped off by CNET’s Attila Tomaschek, ExpressVPN released an emergency update to disable split tunneling while it worked on a fix.
“Although the issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows, ExpressVPN rolled out an update that disabled split tunneling on that platform entirely, to minimize the potential ongoing risk to customers,” ExpressVPN says. “The feature will remain deactivated while engineers investigate and fix the problem.”
ExpressVPN’s split tunneling is supposed to let the user designate what traffic should travel through the VPN’s encrypted connection and what traffic should travel outside of it. However, all traffic was supposed to be routed through ExpressVPN’s no-log DNS server, even if it wasn’t using the VPN, to ensure user privacy.
The issue is that some of the traffic wasn’t routed through ExpressVPN’s DNS server, exposing users’ traffic to third parties, most commonly their ISPs. According to Bleeping Computer, the issue was introduced in version 12.23.1 in May 2022 and continued through version 12.72.0, which launched on Feb. 7, 2024. That means the issue has been around for almost two years.
Recommended by Our Editors
ExpressVPN said it could only recreate the issue with a specific configuration. Split tunneling had to be active and the “Only allow selected apps to use the VPN” setting had to be enabled. None of the other features, such as encryption, were affected by the issue.
Users of Version 10 of the Windows app, along with the apps on other platforms, are unaffected by the issue and should be able to continue using ExpressVPN split tunneling without issue. Those on Version 12 who don’t want to forgo split tunneling can downgrade to Version 10; go to the app versions page and select Download Older Version.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.