ExpressVPN bug has been leaking some DNS requests for years

From bleepingcomputer.com

ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers.

The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature.

The split tunneling feature allows users to selectively route some internet traffic in and out of the VPN tunnel, providing flexibility to those needing both local access and secure remote access simultaneously.

A bug in this feature caused DNS requests of users not to be directed to ExpressVPN’s infrastructure, as they should, but to the user’s internet service provider (ISP).

Read more…