After a tip, ExpressVPN acts swiftly to protect customers

Engineers temporarily remove a feature in our Windows app to minimize the risk of DNS requests being improperly handled.
ExpressVPN news
2 mins
ExpressVPN logo.

[Update on April 16, 2024] Following a fix of the issue that prompted this post, split tunneling was restored to all Windows versions, and cybersecurity firm Nettitude has since conducted a security audit on our Windows apps to verify the remediation of the DNS issue related to split tunneling. Learn more and read the full report

ExpressVPN’s engineers have quickly deployed a fix to our Version 12 app for Windows, thanks to a tip from a reviewer that something might be amiss with how the app handles DNS requests for users who have split tunneling activated.

Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET, notified ExpressVPN that he had observed DNS requests on his Windows machine weren’t being directed to ExpressVPN’s dedicated servers, as expected. This occurred when he had activated split tunneling, which limits which apps send their traffic through the VPN. 

Although the issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows, ExpressVPN rolled out an update that disabled split tunneling on that platform entirely, to minimize the potential ongoing risk to customers. The feature will remain deactivated while engineers investigate and fix the problem.

We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected. 

What should happen

When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server. But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider, or ISP. This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior. All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party. 

If you’re a user of the Version 12 app for Windows, you should upgrade to the latest app if your app has not already updated automatically. Split tunneling will return to Version 12 as soon as engineers are confident that the DNS issue has been resolved. [Editors Note: A previous version of this article encouraged people who needed split tunneling to install V10. Instead, we now recommend waiting for the next release of Version 12, which will be shipping soon.]

For more details on our response to this incident, please consult our FAQ in the Support Center. 

A word of thanks

ExpressVPN is extremely grateful to our extensive community of customers, beta testers, and experts who take the time to notify us of potential issues or to suggest improvements in our products. We invite anyone interested to join our beta testing program, and we offer a generous bug bounty to security researchers who report problems, no matter how small, that allow us to make our apps safer and better for all our users around the world. 

Phone protected by ExpressVPN.
Take the first step to protect yourself online

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.