Thursday, February 22, 2024

ExpressVPN bug has been leaking some DNS requests for years

Leaky faucet

ExpressVPN has eliminated the break up tunneling characteristic from the most recent model of its software program after discovering {that a} bug uncovered the domains customers had been visiting to configured DNS servers.

The bug was launched in ExpressVPN Home windows variations 12.23.1 – 12.72.0, printed between Might 19, 2022, and Feb. 7, 2024, and solely affected these utilizing the break up tunneling characteristic.

The break up tunneling characteristic permits customers to selectively route some web visitors out and in of the VPN tunnel, offering flexibility to these needing each native entry and safe distant entry concurrently.

A bug on this characteristic precipitated DNS requests of customers to not be directed to ExpressVPN’s infrastructure, as they need to, however to the consumer’s web service supplier (ISP).

Normally, all DNS requests are achieved by means of ExpressVPN’s logless DNS server to forestall ISPs and different organizations from monitoring the domains a consumer visits.

Nonetheless, this bug precipitated some DNS queries to be despatched to the DNS server configured on the pc, often a server on the consumer’s ISP, permitting the server to trace a consumer’s looking habits.

Having a DNS request leak just like the one disclosed by ExpressVPN signifies that Home windows customers with energetic break up tunneling doubtlessly expose their looking historical past to 3rd events, breaking a core promise of VPN merchandise.

“When a consumer is related to ExpressVPN, their DNS requests are purported to be despatched to an ExpressVPN server,” explains the seller’s announcement.

“However the bug allowed a few of these requests to go as an alternative to a third-party server, which most often could be the consumer’s web service supplier or ISP.”

“This lets the ISP see what domains are being visited by that consumer, comparable to, though the ISP nonetheless cannot see any particular person webpages, searches, or different on-line conduct.”

“All contents of the consumer’s on-line visitors stay encrypted and unviewable by the ISP or another third celebration.”

The difficulty was found and reported to the seller by CNET’s Attila Tomaschek and solely happens when the break up tunneling mode is energetic.

ExpressVPN says the difficulty solely impacted roughly 1% of its Home windows customers, and the corporate may solely replicate the bug within the “Solely permit chosen apps to make use of the VPN” split-tunneling mode.

Customers of ExpressVPN variations 12.23.1 to 12.72.0 on Home windows ought to improve their consumer to the most recent model, 12.73.0.

The newest model removes the break up tunneling characteristic. Nonetheless, ExpressVPN says they are going to re-introduce it in a future launch when the bug is fastened.

If upgrading is unimaginable, disabling break up tunneling must be sufficient to forestall the DNS request leaks, because the bug could not be replicated in another mode.

If you happen to completely want to make use of break up tunneling, ExpressVPN recommends downloading and utilizing model 10, which is not impacted by the bug.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles