ExpressVPN updates Windows app to fix vulnerability

An abstract CGI visualization of a shield shape on a semi-transparent, multicolored surface resembling a computer processor, to represent application security. — (Image credit: Getty Images)

ExpressVPN has updated its Version 12 app for Windows following a tip from a security researcher about a routing problem.

The issue related to the way certain Remote Desktop traffic was being routed, and applied only under specific conditions — when a Remote Desktop Protocol (RDP) connection was in use or when other TCP traffic was routed over port 3389.

"As a result of the bug, if a user established a connection using RDP, that traffic could bypass the VPN tunnel. This did not affect encryption, but it meant that traffic from RDP connections wasn’t routed through ExpressVPN as expected," said the firm.

"As a result, an observer, like an ISP or someone on the same network, could have seen not only that the user was connected to ExpressVPN, but also that they were accessing specific remote servers over RDP — information that would normally be protected."

The company said it has now - with the help of its bug bounty community - fixed the issue.

It traced the problem to a piece of debug code - originally intended for internal testing, but which mistakenly made it into production builds, versions 12.97 to 12.101.0.2-beta.

The issue was reported on April 25 by security researcher Adam-X through its bug bounty platform, and ExpressVPN said its team confirmed and triaged the report within hours.

It released a fix five days later in the form of Version 12.101.0.45, with the update now rolled out across all distribution channels. It also includes other general improvements and routine bug fixes.

"The issue was confirmed as resolved by the researcher shortly after release, and the report was formally closed at the end of June," said the firm. "We’re grateful to Adam-X for responsibly disclosing this issue."

ExpressVPN calms user concerns

ExpressVPN said the issue would mainly affect users actively using RDP — a protocol that’s generally not used by typical consumers, meaning the number of affected users is probably small.

Meanwhile, the only data exposed by the breach would be the user’s real IP address. It wouldn't reveal their browsing activity or compromise the encryption of any traffic, including RDP sessions.

"To make sure this kind of issue doesn’t happen again, we’re strengthening our internal safeguards with more targeted checks to better catch debug code before it can reach production," said ExpressVPN.

"This includes improving automated tests to flag and remove test settings earlier in development, reducing the chance of human error and helping us deliver even stronger protections for our users."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.