Facepalm: ExpressVPN, a VPN service that provides a secure internet connection with a 30-day money-back guarantee, had a bug in the Windows version of its software for the past two years that could be exploited to leak domains visited by customers.

On May 19, 2022, ExpressVPN released version 12.23.1 of its Windows software, necessary for accessing the company's well-known VPN service. This release introduced a bug that allowed some DNS requests to remain "unprotected" when the split tunneling feature was active. As a response, the developers opted to disable split tunneling temporarily.

ExpressVPN's official website explains that split tunneling allows customers to route certain device or app traffic through the encrypted VPN tunnel while allowing other devices or applications to access the internet directly. This feature can be beneficial in specific scenarios where encrypted internet traffic might impede proper access to local services. Additionally, it can provide improved download performance or unimpeded access to devices connected to the local network (LAN).

ExpressVPN supports two split tunneling modes: normal split tunneling and "inverse" split tunneling. With the bugged software, using inverse tunneling led to the leakage of users' DNS requests to third-party servers. Instead of passing through ExpressVPN's servers, the domain resolution requests traversed the regular internet connection, potentially allowing external entities (usually the ISP managing the DNS servers) to detect users' browsing activity.

The bug, acknowledged by ExpressVPN, was discovered by "VPN expert" and CNET staff writer Attila Tomaschek. It was a bit of an embarrassment for a company that promises a VPN secure service that "just works." Despite affecting less than one percent of the Windows user base, the company decided to disable the entire split tunneling feature to minimize potential ongoing risks.

The latest release of ExpressVPN for Windows no longer provides the split tunneling options, and users are encouraged to install it as soon as possible for security reasons. Users of the older version 10, as well as customers with other computing platforms, are not affected by the bug.

ExpressVPN programmers are diligently working to address the security flaw in version 12, as the company states. Once engineers are confident that the DNS issue has been resolved, split tunneling should be reinstated in an updated release.