ExpressVPN developers have removed the separate tunneling feature in the latest version of the app. The reason is a bug that was recently identified, which revealed some DNS queries and, as a result, the history of visiting web resources.
The company admits that the bug was present in versions 12.23.1 through 12.72.0 inclusive. Thus, a number of requests were merged from May 19, 2022 to February 7, 2023.
The problem affected users who enabled split tunneling, which is a feature that selectively routes traffic both inside and outside the VPN tunnel.
As a rule, this functionality is needed for flexible client configuration, where both local and secure remote access is required.
The bug caused the user not to connect to the ExpressVPN infrastructure, but to go to the Internet service provider. Usually, all DNS requests must pass through the ExpressVPN server, which does not store logs, in order to prevent providers and other organizations from tracking the domains visited by the user.
However, the configuration error allowed individual requests to be sent to the provider's server, which opened up the possibility of tracking user habits.
Thus, users on Windows with separate tunneling enabled revealed the history of visiting websites, which fundamentally contradicts the principles of VPN software.
ExpressVPN users are advised to upgrade to version 12.73.0, which no longer has the bug.
The company admits that the bug was present in versions 12.23.1 through 12.72.0 inclusive. Thus, a number of requests were merged from May 19, 2022 to February 7, 2023.
The problem affected users who enabled split tunneling, which is a feature that selectively routes traffic both inside and outside the VPN tunnel.
As a rule, this functionality is needed for flexible client configuration, where both local and secure remote access is required.
The bug caused the user not to connect to the ExpressVPN infrastructure, but to go to the Internet service provider. Usually, all DNS requests must pass through the ExpressVPN server, which does not store logs, in order to prevent providers and other organizations from tracking the domains visited by the user.
However, the configuration error allowed individual requests to be sent to the provider's server, which opened up the possibility of tracking user habits.
Thus, users on Windows with separate tunneling enabled revealed the history of visiting websites, which fundamentally contradicts the principles of VPN software.
ExpressVPN users are advised to upgrade to version 12.73.0, which no longer has the bug.
