The ExpressVPN bug has been a source of leaked browsing history for ISPs for years

ExpressVPN service has removed the split tunneling feature after discovering a bug that exposed users' visited domains to DNS servers, which by default are internet service providers.

The bug was found in versions of ExpressVPN for Windows 12.23.1 — 12.72.0, released between May 19, 2022 and February 7, 2024, and only affected those who used the split tunneling feature, allowing users to selectively route part of their internet traffic through a VPN tunnel, providing flexibility for those who need both local access and secure remote access simultaneously, reports Bleeping Computer.

An error in this feature caused users' DNS requests to be directed not to the ExpressVPN infrastructure, but to the user's internet service provider (ISP).

Usually, all DNS requests are made through the ExpressVPN DNS server without logs to prevent tracking by providers and other organizations of domains visited by the user.

However, this error resulted in some DNS requests being sent to the DNS server configured on the user's computer (usually the provider's server), allowing the server to track the user's internet habits.

DNS leak means that Windows users with active split tunneling may potentially reveal their browsing history to third parties, violating the core promise of VPN products.

This allows the provider to see which domains the user visits, such as google.com, although the provider still cannot see individual web pages, search queries, or other behavior. However, all user internet traffic remains encrypted and inaccessible for viewing by the provider or any other third party.

ExpressVPN claims that the issue affected only about 1% of Windows users, and the company was able to reproduce the error only in split tunneling mode "Allow only selected apps to use VPN".

Users of ExpressVPN versions from 12.23.1 to 12.72.0 for Windows should update the client to the latest version 12.73.0. It removes the split tunneling feature. However, ExpressVPN states that they will reintroduce it in a future release when the bug is fixed.