Customers of ExpressVPN have been notified of a vulnerability in the most recent version of the Windows app that permitted some DNS requests to be routed to a third-party server, usually the user’s internet service provider (ISP).
After a reviewer pointed out that there might be a problem with the way the app handles DNS requests for users who have “split tunneling enabled,” ExpressVPN’s engineers swiftly released a fix for the Version 12 app for Windows.
Engineers have temporarily removed a feature from its Windows app to reduce the possibility of mishandling DNS requests.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.
Overview of the ExpressVPN Flaw
A user’s DNS requests should be routed to an ExpressVPN server when they are connected to the service. However, the flaw made it possible for some of those requests to be routed to a different server—typically, the user’s ISP—instead of the original server.
“This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior,” the VPN provider reports.
“All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.”
VPN expert and staff writer at CNET, Attila Tomaschek, contacted ExpressVPN to report that he was observing DNS requests on his Windows computer that weren’t going to ExpressVPN’s dedicated servers as expected.
Particularly, this happened when he enabled split tunneling, which limits which apps may send traffic across the VPN.
To reduce the possible continued risk to consumers, ExpressVPN released an update that completely disabled split tunneling on one app platform, Version 12, for Windows, even though the vulnerability is thought to affect less than 1% of users.
“The feature will remain deactivated while engineers investigate and fix the problem”, the report said.
All versions released between 12.23.1 and 12.72.0 are affected by this issue on Windows.
On Windows, users of ExpressVPN versions 12.23.1 to 12.72.0 should update to the most recent version, 12.73.0.
If you use the Windows Version 12 app, you need to update to the most recent version if it hasn’t updated itself previously. Users do not need to take any action if they are using the Windows Version 10 app or any of the apps for other platforms and devices.
As soon as engineers are certain that the DNS issue has been fixed, split tunneling will resume on Version 12. It’s still accessible in the Windows app version 10 and is operating as it should.