ExpressVPN gets clean bill of health after extension audit

null

ExpressVPN has declared a clean bill of health following a full security audit.

The company enlisted the help of cybersecurity firm Cure53 to conduct a security audit of their VPN browser extension for Chrome and Firefox to assuage any safety concerns. The penetration testing report (or Pentest) is less extensive than the one the Berlin-based company did for Tunnelbear back in 2017 before it was acquired by McAfee.

As specialists in penetration testing and code auditing, Cure53 tests everything from apps and extensions to websites, blog, config, server, container, infrastructure and encryption although in ExpressVPN's case, only the browser extension was scrutinised.

A four-member team worked over a week on the two browser extensions - an entire audit of a VPN solution can take up to six weeks depending on complexity.

In an emailed interview, Harold Li, VP at ExpressVPN, added "We regularly conduct extensive audits and penetration tests on all ExpressVPN apps and systems. This is the first audit we've published, but it certainly won't be the last. We regularly conduct extensive audits and penetration tests on all ExpressVPN apps and systems. This is the first audit we've published, but it certainly won't be the last."

Safety flaws

Cure53 identified four vulnerabilities, three classified as medium, with four miscellaneous issues, none of which would warrant an out-of-band upgrade.

It further notes that “no security issues which would allow [attackers] to influence the state of the VPN connection via a malicious web page or alike were discovered.” adding, “several features that initially aimed to offer better privacy for users but fell victim to browser-based shortcomings were removed” after this test, something it considers to be positive.

In addition to the audit, the source code of the browser extension (which requires the VPN client to run), has been released under an open-source license allowing others to examine the extension in more details.

ExpressVPN, which currently tops TechRadar’s best VPN buying guide, has already committed to doing more independent public security audit, a trend that others such as NordVPN, VyprVPN, IPVanish and Tunnelbear have already joined.

IVPN, Mullvad, TunnelBear, and VyprVPN and ExpressVPN also partnered with the Center for Democracy & Technology, a non profit organization that champions global online civil liberties and human rights and has called for a more transparent framework for the VPN industry to operate within. 

  • Check out the best VPN providers around right now