Become a TechRadar Insider
- ExpressVPN's new products pass third-party review
- This brings its independent audits to 27
- Some medium-severity issues were identified
ExpressVPN is celebrating the results of a new independent audit carried out by third-party cybersecurity firm Cure53, bringing its total number of third-party assessments to a whopping 27.
The new audits were completed on two products launched by one of the best VPNs on the market, a few months back: ExpressMailGuard — a service that provides limitless email aliases — and Identity Defender, an identity protection app.
Curve53 gave the green light with no significant vulnerabilities reported. However, it highlighted several areas that required closer attention. More details below.
While this was not a clean score-sheet on this occasion, such findings highlight why independent audits are now crucial for any reputable provider wanting to provide a truly secure VPN service for its customers. In this context, an independent audit is not just about a software passing a test the first time, but rather an open commitment to address any architectural issues that may arise.
ExpressVPN is a veteran when it comes to third-party checks. Since its first audit in 2018, its products have been consistently scrutinized by several renowned firms, including PwC, Cure53, and KPMG, securing four ISO certifications, and reflecting a growing commitment to accountability that goes well beyond industry standards.
"Every product we build that touches user data gets handed to independent researchers whose job it is to break it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed," said Aaron Engel, CSO at ExpressVPN — words to live by when we talk about VPNs.
What Cure53 found?
Curve53 conducted comprehensive source-code reviews and infrastructure assessments of both products — from UIs and email processing functionalities to backend infrastructure, authentication, personally identifiable information (PII), and data storage.
Investigations took place in early March and were carried out for a maximum of 18 days.
In the case of ExpressVPN Identity Defender, the independent auditor identified eleven areas of concern. Of these, seven were classified as security vulnerabilities of a 'medium' grade; issues that do not cause a major impact on any area within scope.
Two medium-severity issues related to the storage of unencrypted data. In the first case, ExpressVPN was passing unencrypted data structures to its log and, in doing so, prevented its redacting processes from securing them. In the second, data relating to the user identity was being used for a secondary purpose, thereby inadvertently providing hackers with one potential way to triangulate data about you.
For ExpressMailGuard, Cure53 team identified even more issues — a total of thirteen findings. However, of these, only two were classified as direct security vulnerabilities, and eleven were categorised as more general weaknesses with no direct route to exploitation.
In this case, the sole medium-level exploitable vulnerability is related to the incorrect processing of sender email address data, an issue that could aid a malicious actor in spoofing emails, amongst other things.
Other medium-severity issues included recipient verification emails being sent to wrong addresses — neither a risk in isolation, but potentially useful in conjunction with another vulnerability.
Curve53 advice included promptly addressing and resolving these findings, undertaking regular tests to identify new risks as they arise, and reporting issues to maintainers when third-party code was involved.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
