"ExpressVPN User Data Exposed Due to Bug"

ExpressVPN recently disabled split tunneling on its Windows clients to prevent an issue where DNS requests were not properly directed to its servers.  The issue, introduced in May 2022 in version 12.23.1 of ExpressVPN, resulted in DNS requests remaining unprotected in certain conditions.  Normally, when users connect to ExpressVPN, their DNS requests are sent to the company's servers.  The company noted that due to the bug, the requests were sent to a third party, typically the internet services provider (ISP), unless otherwise configured, which could determine the domain visited by the user but not individual pages and other behavior.  The company stated that all contents of the user's traffic remain encrypted by the VPN and unviewable by the ISP or any other third party.  The bug impacted versions 12.23.1 through 12.72.0 of ExpressVPN for Windows if the split-tunneling feature was used and the "Only allow selected apps to use the VPN" mode was enabled.  According to ExpressVPN, the bug impacted less than 1% of its Windows users, given that the issue could not be reproduced without split tunneling activated or with split tunneling used in the "Do not allow selected apps to use the VPN" mode. 

SecurityWeek reports: "ExpressVPN User Data Exposed Due to Bug"