The ExpressVPN bug has been a source of browsing history leaks for providers for years.

ExpressVPN removed the split tunneling feature after discovering that a bug was exposing user-visited domains to the default DNS servers of ISPs.

A bug was discovered in Windows versions of ExpressVPN 12.23.1 — 12.72.0, published between May 19, 2022 and February 7, 2024, and only affected those using the split tunneling feature, which allows users to selectively route a portion of Internet traffic in and out of a VPN tunnel, providing flexibility for those , who need both local access and secure remote access at the same time, reports Bleeping Computer.

A bug in this feature caused users' DNS requests to be directed to the user's Internet Service Provider (ISP) rather than to the ExpressVPN infrastructure.

Typically, all DNS queries are made through ExpressVPN's log-free DNS server to prevent ISPs and others from tracking the domains the user visits.

However, this bug caused some DNS queries to be sent to the DNS server configured on the user's computer (usually the ISP's server), allowing the server to track the user's browsing habits.

DNS lookup leaks mean that Windows users with active split tunneling could potentially expose their browsing history to third parties, breaking the core promise of VPN products.

English course. Podolai movniy bar'er and expand the number of friends at social clubs. Find out about the course

This allows the ISP to see what domains the user is visiting, such as google.com, although the ISP still cannot see individual web pages, search queries, or other behavior. However, the entire content of the user's Internet traffic remains encrypted and cannot be viewed by the ISP or any other third party.

ExpressVPN says the issue only affected about 1% of Windows users, and the company was only able to reproduce the bug in the split tunnel mode “Allow only selected apps to use the VPN.”

Users of ExpressVPN versions 12.23.1 to 12.72.0 for Windows should update the client to the latest version 12.73.0. It removes the split tunneling feature. However, ExpressVPN says they will bring it back in a future release once the bug is fixed.