Bug:

Affected versions 12.23.1-12.72.0 (May 2022-Feb 2024) with split tunneling feature.

Impact:

Exposed visited domains to user’s ISP, potentially leaking browsing history.

Affected users:

Windows users with active split tunneling (about 1%).

Fix:

Upgrade to version 12.73.0 (removes split tunneling temporarily).

Alternatives:

Disable split tunneling or use ExpressVPN version 10.

Note:

All other traffic and content remain encrypted.

  • ArchAengelus@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    9 months ago

    Uh, I might be wrong here, but isn’t the whole purpose of split tunneling to allow you to send only necessary traffic through a given tunnel? Then the rest of your traffic goes whatever the default path is?

    This seems more like a feature than a CVE. Maybe I’m missing something.

    • Still@programming.dev
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      so it would be like you say I want Firefox to go thru the tunnel, you would want the DNS requests made from it to go thru as well, in this case they weren’t tunneled and were just going to the normal dns server