Details of The Story
In a notable development, ExpressVPN, a widely recognized provider of VPN services, has initiated a significant change to its software by discontinuing the split tunneling feature in its latest Windows application version. This decision emerged in response to the identification of a critical vulnerability that compromised user privacy by inadvertently exposing domain visitations to DNS servers not under ExpressVPN’s protective umbrella, this vulnerability has been leaking data for almost two years.
The crux of the issue lay within the operational mechanics of the split tunneling feature. Traditionally hailed for its flexibility, split tunneling allowed users to direct only a portion of their internet traffic through the VPN, facilitating a blend of secure remote access and unencumbered local connectivity. However, a flaw was uncovered, leading to a scenario where DNS requests—ordinarily routed through ExpressVPN’s private, no-log DNS servers to ensure anonymity—were misdirected to potentially less secure DNS servers, typically those managed by the user’s Internet Service Provider (ISP).
This anomaly not only breached the foundational privacy assurances inherent to VPN services but also opened a window for ISPs to potentially log the domains accessed by the users. It’s crucial to understand that while ISPs could see the domains, the encryption maintained by ExpressVPN ensured that the specifics of the user’s online activities remained shielded from view.
As VPN technologies continue to evolve, there must be a broader discussion about the balance between innovation and security. The industry needs to reflect on the mechanisms of ensuring robust security measures are in place while advancing the functionalities that users demand. Vulnerabilities being in place for years is dangerous and unacceptable, companies need to wake up and take security seriously, implementing services such as DevSecOps to help catch these vulnerabilities earlier.
