ExpressVPN has updated its Version 12 app for Windows following a tip from a security researcher about a routing problem.
The issue related to the way certain Remote Desktop traffic was being routed, and applied only under specific conditions — when a Remote Desktop Protocol (RDP) connection was in use or when other TCP traffic was routed over port 3389.
"As a result of the bug, if a user established a connection using RDP, that traffic could bypass the VPN tunnel. This did not affect encryption, but it meant that traffic from RDP connections wasn’t routed through ExpressVPN as expected," said the firm.
"As a result, an observer, like an ISP or someone on the same network, could have seen not only that the user was connected to ExpressVPN, but also that they were accessing specific remote servers over RDP — information that would normally be protected."
The company said it has now - with the help of its bug bounty community - fixed the issue.
It traced the problem to a piece of debug code - originally intended for internal testing, but which mistakenly made it into production builds, versions 12.97 to 12.101.0.2-beta.
The issue was reported on April 25 by security researcher Adam-X through its bug bounty platform, and ExpressVPN said its team confirmed and triaged the report within hours.
It released a fix five days later in the form of Version 12.101.0.45, with the update now rolled out across all distribution channels. It also includes other general improvements and routine bug fixes.
"The issue was confirmed as resolved by the researcher shortly after release, and the report was formally closed at the end of June," said the firm. "We’re grateful to Adam-X for responsibly disclosing this issue."
ExpressVPN calms user concerns
ExpressVPN said the issue would mainly affect users actively using RDP — a protocol that’s generally not used by typical consumers, meaning the number of affected users is probably small.
Meanwhile, the only data exposed by the breach would be the user’s real IP address. It wouldn't reveal their browsing activity or compromise the encryption of any traffic, including RDP sessions.
"To make sure this kind of issue doesn’t happen again, we’re strengthening our internal safeguards with more targeted checks to better catch debug code before it can reach production," said ExpressVPN.
"This includes improving automated tests to flag and remove test settings earlier in development, reducing the chance of human error and helping us deliver even stronger protections for our users."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Think AI coding tools are speeding up work? Think again – they’re actually slowing developers downNews AI coding tools may be hindering the work of experienced software developers, according to new research
-
NIS2: Why are firms struggling to comply?In-depth The Network and Information Systems 2 (NIS2) Directive continues to trip up organizations in critical industries, as leaders grapple with complex supply chains
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
IT leaders are facing major work device blind spots – and it's putting security at riskNews The use of unauthorized devices is putting enterprises at huge risk
-
Okta and Palo Alto Networks are teaming up to ‘fight AI with AI’News The expanded partnership aims to help shore up identity security as attackers increasingly target user credentials
-
Despite the hype, cybersecurity teams are still taking a cautious approach to using AI toolsNews Research from ISC2 shows the appetite for AI tools in cybersecurity is growing, but professionals are taking a far more cautious approach than other industries.
-
A new, silent social engineering attack is being used by hackers – and your security systems might not notice until it’s too lateNews Security researchers have warned the 'FileFix' technique, which builds on the notorious 'ClickFix' tactic, is being used in the wild by threat actors.
-
MSPs emerge as key security partners for mid-market enterprisesNews The MSP Customer Insight Report reveals 85% of mid-sized organizations now rely on MSPs for security support
-
Application layer DDoS attacks are skyrocketing – here's whyNews The industry is seen as a prime target thanks to a reliance on online services and real-time transactions
