Bug:
Affected versions 12.23.1-12.72.0 (May 2022-Feb 2024) with split tunneling feature.
Impact:
Exposed visited domains to user’s ISP, potentially leaking browsing history.
Affected users:
Windows users with active split tunneling (about 1%).
Fix:
Upgrade to version 12.73.0 (removes split tunneling temporarily).
Alternatives:
Disable split tunneling or use ExpressVPN version 10.
Note:
All other traffic and content remain encrypted.
Uh, I might be wrong here, but isn’t the whole purpose of split tunneling to allow you to send only necessary traffic through a given tunnel? Then the rest of your traffic goes whatever the default path is?
This seems more like a feature than a CVE. Maybe I’m missing something.
They might mean it’s happening even with requests routed through the VPN.