ExpressVPN on Wednesday (November 9) announced that it validated the security posture of its macOS, Linux, and Windows desktop apps through three new independent audits by respected cybersecurity firms, Cure53 and F-Secure.
ExpressVPN said in a statement that Cure53 tested both its macOS and Linux desktop apps through white-box penetration tests and source code audits from June to August 2022.
“They found a low volume of issues in our macOS app, uncovering only two security vulnerabilities and four informational weaknesses with low exploitation potential. We quickly addressed all relevant findings, with Cure53 reviewing the fixes to ensure no additional weaknesses were introduced,” it added.
“In conclusion, this assessment of the latest ExpressVPN application for macOS iteration leaves an exceptionally solid impression in regards to security,” writes Cure53 in their report.
“All in all, the ExpressVPN team deserves high praise for its efforts to provide an exceptionally secure macOS client. Only a few minor hardening improvements are required to elevate the platform’s security posture to an exemplary level.”
Similarly, the audit of its Linux app returned a short list of security issues, according to the company. Out of the five discoveries, there were two security vulnerabilities and three general weaknesses with lower exploitation potential, all of which have since been reviewed by ExpressVPN’s internal team. “Absence of findings beyond a Medium rank is yet another strong positive indicator of the condition of the security premise at the ExpressVPN Linux targets,” notes Cure53.
F-Secure conducted a security audit on the Windows app (v12) from February 2022 to March 2022. The audit assessed two important features of the app:
That the app cannot be manipulated to leak information (such as a user’s IP address) outside the VPN tunnel
That the app is not susceptible to remote code execution attacks“We’re pleased to share that F-Secure did not find any significant weaknesses. F-Secure’s independent auditors found only one informational issue in our Windows v12 app, which was not exploitable. The issue has already been fixed, which F-Secure confirmed in a retest in April 2022,” ExpressVPN said.
No critical, high, medium or minor issues seem to have been found. F-Secure concluded: “It was not possible to gain information about ExpressVPN’s clients or out-of-the-network traffic. Nor was it possible to execute code remotely through attacks such as Man-in-the-Middle (MitM), TLS downgrading, or packet injection.”
(Edited by : Shoma Bhattacharjee)
