ExpressVPN’s New Products Pass Third-Party Review
- ExpressVPN’s New Products Pass Third-Party Review
- This brings its independent audits to 27
- Some medium severity issues have been identified
ExpressVPN is celebrating the results of a new independent audit by third-party cybersecurity firm Cure53, bringing its total number of third-party assessments to 27.
The new audits were carried out on two products launched by one of the best VPNs on the market a few months ago: ExpressMailGuard – a service that provides unlimited email aliases – and Identity Defender, an identity protection application.
Cure53 has given the green light with no significant vulnerabilities reported. However, it highlighted several areas that need further attention. More details below.
Commitment to Security Through Independent Audits
Although not a clean sheet on this occasion, these results show why independent audits are now crucial for any reputable provider wishing to provide a truly secure VPN service to their customers. In this context, an independent audit is not just about software passing a test the first time, but rather an open commitment to fixing any architectural issues that might arise.
ExpressVPN is a veteran when it comes to third-party controls. Since its first audit in 2018, its products have been systematically reviewed by several renowned firms, including PwC, Cure53 and KPMG, achieving four ISO certifications and reflecting a growing commitment to accountability that goes well beyond industry standards.
“Every product we build that touches user data is entrusted to independent researchers whose job it is to break it. Twenty-seven audits later, we remain committed to the same standard: trust should be earned, not assumed,” said Aaron Engel, CSO at ExpressVPN – words to live by when we talk about VPNs.
What did Cure53 find?
Cure53 conducted comprehensive source code reviews and infrastructure assessments of both products, from user interfaces and email processing features to back-end infrastructure, authentication, personally identifiable information (PII), and data storage.
The investigations took place at the beginning of March and lasted a maximum of 18 days.
ExpressVPN Identity Defender Findings
In the case of ExpressVPN Identity Defender, the independent auditor identified eleven areas of concern. Of these, seven were classified as “medium” security vulnerabilities; issues that do not have a major impact on the areas concerned.
Two medium severity issues related to storing unencrypted data. In the first case, ExpressVPN was passing unencrypted data structures to its log and, in doing so, preventing its redaction processes from securing them. In the second case, user identity data was used for secondary purposes, inadvertently providing hackers with a potential way to triangulate data about you.
ExpressMailGuard Findings
For ExpressMailGuard, the Cure53 team identified even more issues – a total of thirteen results. However, of these, only two were classified as direct security vulnerabilities, and eleven were classified as more general weaknesses with no direct path to exploitation.
In this case, the only mid-level exploitable vulnerability is related to incorrect processing of sender email address data, an issue that could, among other things, help a malicious actor spoof emails.
Other medium severity issues included recipient verification emails being sent to wrong addresses – not an isolated risk, but potentially useful in conjunction with another vulnerability.
Cure53’s advice included promptly processing and resolving these findings, conducting regular testing to identify new risks as they arise, and reporting issues to managers when third-party code was involved.
Follow TechRadar on Google News and add us as your favorite source to get our news, reviews, and expert opinions in your feeds. Make sure to click the Follow button!
For further details, visit the original article here.
“`
