Skip to main content

ExpressVPN gets clean bill of health after extension audit

ExpressVPN has declared a clean bill of health following a full security audit.

The company enlisted the help of cybersecurity firm Cure53 to conduct a security audit of their VPN browser extension for Chrome and Firefox to assuage any safety concerns. The penetration testing report (or Pentest) is less extensive than the one the Berlin-based company did for Tunnelbear back in 2017 before it was acquired by McAfee.

As specialists in penetration testing and code auditing, Cure53 tests everything from apps and extensions to websites, blog, config, server, container, infrastructure and encryption although in ExpressVPN's case, only the browser extension was scrutinised.

A four-member team worked over a week on the two browser extensions - an entire audit of a VPN solution can take up to six weeks depending on complexity.

In an emailed interview, Harold Li, VP at ExpressVPN, added "We regularly conduct extensive audits and penetration tests on all ExpressVPN apps and systems. This is the first audit we've published, but it certainly won't be the last. We regularly conduct extensive audits and penetration tests on all ExpressVPN apps and systems. This is the first audit we've published, but it certainly won't be the last."

Safety flaws

Cure53 identified four vulnerabilities, three classified as medium, with four miscellaneous issues, none of which would warrant an out-of-band upgrade.

It further notes that “no security issues which would allow [attackers] to influence the state of the VPN connection via a malicious web page or alike were discovered.” adding, “several features that initially aimed to offer better privacy for users but fell victim to browser-based shortcomings were removed” after this test, something it considers to be positive.

In addition to the audit, the source code of the browser extension (which requires the VPN client to run), has been released under an open-source license allowing others to examine the extension in more details.

ExpressVPN, which currently tops TechRadar’s best VPN buying guide, has already committed to doing more independent public security audit, a trend that others such as NordVPN, VyprVPN, IPVanish and Tunnelbear have already joined.

IVPN, Mullvad, TunnelBear, and VyprVPN and ExpressVPN also partnered with the Center for Democracy & Technology, a non profit organization that champions global online civil liberties and human rights and has called for a more transparent framework for the VPN industry to operate within. 

  • Check out the best VPN providers around right now
Desire Athow

Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Then followed a weekly tech column in a local business magazine in Mauritius, a late night tech radio programme called Clicplus and a freelancing gig at the now-defunct, Theinquirer, with the legendary Mike Magee as mentor. Following an eight-year stint at where he discovered the joys of global techfests, Désiré now heads up TechRadar Pro. He has an affinity for anything hardware and staunchly refuses to stop writing reviews of obscure products or cover niche B2B software-as-a-service providers.