A worrying ExpressVPN flaw may have been leaking user info online for years — but you might not need to be too concerned

VPN and Remote Desktop
(Image credit: Pixabay)

Top VPN provider ExpressVPN was notified of a bug in one of its products, and was forced to disable a popular feature until they can deploy a fix.

In a blog post, the company said Attila Tomaschek, a VPN expert and CNET’s staff writer, reached out recently after having observed DNS requests on his Windows computer not being redirected to ExpressVPN’s dedicated servers, as they should have been. Tomaschek was using the Version 12 app for windows, and had the split tunneling feature turned on. 

Split tunneling allows traffic to be routed through a VPN and the local network at the same time. When it’s activated, some apps send their traffic through the VPN, while others don’t. 

Specific conditions

ExpressVPN said it investigated the issue and released an update that disabled the feature from the platform entirely, as it works on a fix. The feature will remain deactivated until the company can confidently say that the DNS issue was resolved.

It also suggested that most people shouldn’t be too worried. “The issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows”, ExpressVPN said.

“We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected,” they added.

So, there is a chance that even with split tunneling turned on, your traffic was still secure. For now, the feature remains disabled and users should keep an eye on ExpressVPN for the fix. Split tunneling is available in Version 10 of the Windows app. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.