GadgetBond

  • Latest
  • How-to
  • Tech
    • AI
    • Amazon
    • Apple
    • CES
    • Computing
    • Creators
    • Google
    • Meta
    • Microsoft
    • Mobile
    • Samsung
    • Security
    • Xbox
  • Transportation
    • Audi
    • BMW
    • Cadillac
    • E-Bike
    • Ferrari
    • Ford
    • Honda Prelude
    • Lamborghini
    • McLaren
    • Mercedes
    • Porsche
    • Rivian
    • Tesla
  • Culture
    • Apple TV
    • Disney
    • Gaming
    • Hulu
    • Marvel
    • HBO Max
    • Netflix
    • Paramount
    • SHOWTIME
    • Star Wars
    • Streaming
Add GadgetBond as a preferred source to see more of our stories on Google.
Font ResizerAa
GadgetBondGadgetBond
  • Latest
  • Tech
  • AI
  • Deals
  • How-to
  • Apps
  • Mobile
  • Gaming
  • Streaming
  • Transportation
Search
  • Latest
  • Deals
  • How-to
  • Tech
    • Amazon
    • Apple
    • CES
    • Computing
    • Creators
    • Google
    • Meta
    • Microsoft
    • Mobile
    • Samsung
    • Security
    • Xbox
  • AI
    • Anthropic
    • ChatGPT
    • ChatGPT Atlas
    • Gemini AI (formerly Bard)
    • Google DeepMind
    • Grok AI
    • Microsoft Copilot
    • OpenAI
    • Perplexity
    • xAI
  • Transportation
    • Audi
    • BMW
    • Cadillac
    • E-Bike
    • Ferrari
    • Ford
    • Honda Prelude
    • Lamborghini
    • McLaren W1
    • Mercedes
    • Porsche
    • Rivian
    • Tesla
  • Culture
    • Apple TV
    • Disney
    • Gaming
    • Hulu
    • Marvel
    • HBO Max
    • Netflix
    • Paramount
    • SHOWTIME
    • Star Wars
    • Streaming
Follow US
AppsSecurityTech

ExpressVPN disables split tunneling due to DNS leak bug

A DNS leak bug impacted 1% of ExpressVPN’s Windows users over the years, routing browsing data outside the VPN tunnel to spying internet providers when leveraging split tunneling.

By
Shubham Sawarkar
Shubham Sawarkar's avatar
ByShubham Sawarkar
Editor-in-Chief
I’m a tech enthusiast who loves exploring gadgets, trends, and innovations. With certifications in CISCO Routing & Switching and Windows Server Administration, I bring a sharp...
Follow:
- Editor-in-Chief
Feb 12, 2024, 2:06 AM EST
Share
We may get a commission from retail offers. Learn more
ExpressVPN disables split tunneling due to DNS leak bug
Photo: Alamy
SHARE

Popular virtual private network (VPN) provider ExpressVPN has uncovered and promptly addressed a troubling vulnerability in recent versions of its Windows software that allowed internet service providers (ISPs) and other third parties to view some user DNS requests, potentially exposing browsing habits and destroying privacy promises.

The significant bug was introduced in ExpressVPN Windows versions 12.23.1 through 12.72.0, spanning releases from May 19th, 2022 through February 7th, 2024. It allowed DNS leakages for those using the “split tunneling” feature, which intelligently routes some traffic through the encrypted VPN tunnel while other traffic routes outside the tunnel.

While contents of user traffic remained protected, DNS requests that should have been hidden were exposed. DNS requests reveal the domains users visit, providing insightful browsing history to snoopers.

By design, ExpressVPN directs all DNS traffic through its own DNS servers to prevent observation by ISPs, governments, hackers, and others. This bug defeated these privacy protections for affected Windows users with split tunneling enabled.

The vulnerability was discovered and responsibly reported by security researcher Attila Tomaschek of CNET. Tomaschek uncovered that with split tunneling active, some DNS requests were leaking to external DNS servers instead of being securely routed through ExpressVPN’s private infrastructure.

Most commonly, requests were exposed to a user’s own ISP’s DNS server. While this did not reveal specific pages visited or account details, it did expose the sites and services a user connected to.

ExpressVPN releases patch, disables split tunneling

In response, ExpressVPN rapidly patched the affected application versions and disabled split tunneling functionality while they solved the underlying problem.

They noted that only about 1% of Windows users actively leveraged split tunneling and were impacted by the bug. For those affected, visited domains could have been observed by ISPs for over 2 years until the discovery of the flaw.

The company recommends that affected users upgrade to the latest ExpressVPN Windows version 12.73.0, which removes but will later re-add split tunneling once the bugs are resolved. For anyone requiring split tunneling immediately, they advise downgrading to the older version 10 release.

This situation highlights the importance of vulnerability discovery and responsible disclosure for fixing bugs before malicious actors become aware and abuse them. It also illustrates the difficulty of assembling secure, reliable virtual private networking tools.

ExpressVPN’s actions demonstrate their commitment to transparency, integrity, and protecting their users. While a small percentage were impacted for a short period, they deserve credit for their response and dedication to doing better going forward. The intent is not to punish providers when bugs occur but to ensure accountability to do better.

ExpressVPN
App Store screenshot of ExpressVPN, showing the app details with a 4.5-star rating. The image displays three preview panels highlighting features: 160 lightning-fast VPN locations, one subscription for all devices, and customer support. The app icon is red and white, and the screenshot is set against a purple and dark blue background, depicting a smartphone interface.
Image: ExpressVPN

ExpressVPN is a secure channel that creates a tunnel between your device and the internet. It ensures the protection of your data from snooping and censorship. With best-in-class encryption, 24/7 live chat support, and TrustedServer technology, it guarantees maximum security. You can connect to servers in 105 countries and use up to 14 devices at the same time. With lightning-fast speeds, ExpressVPN is the ultimate solution for your online privacy needs.

Try ExpressVPN

Discover more from GadgetBond

Subscribe to get the latest posts sent to your email.

Topic:ExpressVPN
Most Popular

Google Vids adds Gemini Omni and personal avatars

The day the internet realized a list of links wasn’t enough

LG’s new commercial washers can clean and dry in just one hour

ASUS cracks the code on stick drift with the new ROG Raikiri II Pro

EA’s new Madden NFL 27 Arcade Edition launches August 6

Also Read
Google AI Mode on a smartphone connects to music, design and grocery apps to create playlists, show design options and update a shopping cart.

Google AI Mode is adding apps, actions and more ambition

Promotional graphic featuring an Apple MacBook and iPad with colorful wallpapers alongside an Apple Gift Card on a black background. Bright comic-style graphic elements surround the devices, highlighting an Apple gift card offer for eligible Mac and iPad purchases.

Apple’s college student offer returns—along with some notable exclusions

Promotional graphic for the MLS Season Pass on Apple TV featuring the slogan "IT'S GOOD TO BE BACK" in large white text on an orange background. The MLS and Apple TV logos appear in the top-left corner, while several soccer players in action—including one in a pink Inter Miami CF jersey, a goalkeeper in green, and players in black and blue kits—are shown on the right competing for the ball, highlighting the return of the MLS season.

MLS resumes on Apple TV after World Cup break

Illustration showing the Gmail logo above the text “Gmail in the Gemini era,” with the word “Gemini” highlighted in blue on a light gradient background.

Gmail rolls out custom prompting to help you perfect your tone

Samsung Bespoke AI washer and dryer lineup for 2026 installed beneath a modern staircase, featuring matching graphite-finish front-load appliances with AI displays, integrated shelving, and built-in ambient lighting in a contemporary home laundry space.

A look at Samsung’s sleek new Bespoke AI laundry lineup

Microsoft Entra ID illustration highlighting identity protection and secure access across users, devices, applications, Active Directory, multicloud environments, cloud and AI apps, Microsoft 365, and on-premises systems.

Microsoft Entra ID trashes text-code logins for good

Before-and-after comparison of the redesigned Windows Search home, showing a simplified layout that prioritizes recent searches over recommended content such as trending topics, apps, and widgets.

Windows Search Box update prioritizes speed and simplicity

Claude Artifacts displayed in a shared workspace, showing a design review artifact generated from a @Claude mention in a conversation thread, highlighting public sharing, multiplayer editing, and collaborative document creation.

Claude Code adds multiplayer editing and public artifact sharing

Company Info
  • Homepage
  • Support my work
  • Latest stories
  • Company updates
  • GDB Recommends
  • Daily newsletters
  • About us
  • Contact us
  • Write for us
  • Editorial guidelines
Legal
  • Privacy Policy
  • Cookies Policy
  • Terms & Conditions
  • DMCA
  • Disclaimer
  • Accessibility Policy
  • Security Policy
  • Do Not Sell or Share My Personal Information
Socials
Follow US

Disclosure: We love the products we feature and hope you’ll love them too. If you purchase through a link on our site, we may receive compensation at no additional cost to you. Read our ethics statement. Please note that pricing and availability are subject to change.

Copyright © 2026 GadgetBond. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | Do Not Sell/Share My Personal Information.