Last year the team at ExpressVPN released a set of leak testing tools to help VPN users find out if their VPN had any leaks. The tools are open source and available via GitHub for anyone to make use of and to engage in the project. Now we’re excited to share that ExpressVPN is taking their transparency initiative a step further with a penetration test and code audit of their popular Chrome web extension and by open sourcing the code.
ExpressVPN is taking a very deliberate approach to transparency. By having an independent third-party test their web extension and following that up by open sourcing the code for the latest version, ExpressVPN is building trust in an industry that is riddled with deception. We won’t dive into the dark side of VPN in this post but you can simply consider the privacy implications of free VPNs and the logging revelations of some well known VPNs to see the need for transparency as trust is a central issue when selecting a VPN to help protect your privacy.
Back to the security audit and open sourcing of the web extension code. ExpressVPN hired Berlin-based Cure53 to conduct a penetration test and audit the source code for their Chrome browser extension. The testing was performed in October 2018 and resulted in 4 vulnerabilities and 4 general weaknesses. None of which rated with a severity level higher than medium. Over the next few weeks the ExpressVPN development team worked to remedy the issues. Cure53 verified the fixes were in place in November 2018. That leads to today’s announcement that ExpressVPN is open sourcing the code for their Chrome and Firefox browser extensions.
Cheers to the ExpressVPN team for taking a leading role in vulnerability testing and open sourcing their code. In fact they have made the results of the Cure53 audit public for anyone to read. We were pleased to see the manner in which the vulnerabilities were addressed which in some cases meant that features were removed from the browser extension. The issue being that the web browser bypasses the intended privacy protection so the developers pulled the features rather than give users a false sense of security. The release of the audit and open source code present users with yet another reason to trust ExpressVPN.