ExpressVPN: Bug with years of browsing history leaks for providers
ExpressVPN has remotely disabled tunneling due to a bug that was leaking information about user-visited domains to DNS servers that are hosted by ISPs by default.
ExpressVPN DNS Request Leak Vulnerability
Bug Detection and Audits
The bug was discovered in Windows 12.23 versions of ExpressVPN .1 - 12.72.0, released from May 19, 2022 to February 7, 2024. It only affected users using the tunneling feature, which allows some Internet traffic to be routed through a VPN tunnel. The bug was reported by researchers at Bleeping Computer.
Cause of DNS query leak
This error caused DNS queries users were directed not to the ExpressVPN infrastructure, but to the Internet service provider.
Typically, all DNS queries are made through ExpressVPN's secure DNS servers to prevent the domains visited by the user from being tracked. However, due to the vulnerability, some DNS requests were sent to DNS servers configured on the user's computer, which allowed the ISP to monitor his online activity.
Thus, Windows users using the tunneling feature may have compromised the privacy of their browsing history, which defeats the main benefit of a VPN connection.
This allows the provider to see which domains the user is visiting, such as google.com. However, the content of the user's Internet traffic remains encrypted and cannot be viewed by the provider or third party.
Number of affected users and resolution
The issue affected about 1% of ExpressVPN for Windows users, and the company has successfully reproduced the bug in tunneling mode" Allow only selected apps to use the VPN."
Users are advised to update the ExpressVPN client from version 12.23.1 to 12.73.0, which disables the tunneling feature. The company plans to return this feature in a new release when the bug is completely fixed.
- DNS queries are requests to establish a connection with a DNS server to obtain the IP address of a host by its domain name.
- VPN tunnel is a secure connection between devices via the Internet, ensuring the privacy and security of transmitted information.
- Internet provider is an organization that provides access to the Internet.
- Bleeping Computer is a well-known resource specializing in information security and news in this area.