Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

TunnelBear VPN Audit Finds Few Vulnerabilities

TunnelBear has commissioned a third-party audit of its virtual private network (VPN) application and only a few vulnerabilities have been found in recent versions of the product.

TunnelBear has commissioned a third-party audit of its virtual private network (VPN) application and only a few vulnerabilities have been found in recent versions of the product.

Germany-based security firm Cure53 has analyzed the entire TunnelBear infrastructure, including servers, clients, browser extensions and website. Two separate audits were conducted: one in late 2016 and one in the summer of 2017. In both cases, testers had access to servers and source code.

A significant number of serious vulnerabilities were uncovered in the initial tests, including three critical flaws affecting the browser extension and the macOS client.

Experts discovered that the browser extension VPN could easily be turned off by getting the targeted user to access a specially crafted webpage. The browser extension also allowed attackers to force victims into making requests with the VPN disabled.

As for the macOS client, it was affected by a vulnerability that could allow local root privilege escalation via a malicious application installed on the host.

During the 2016 testing, Cure53 also discovered three high severity flaws affecting the TunnelBear API and Android application. The API weaknesses allowed cross-site request forgery (CSRF) attacks that could be used to cancel subscriptions, and phishing attacks via invite emails. The Android app could have been caused to crash and lose the connection.

Testers also discovered 13 medium, 8 low and 13 informational issues during the initial audit.

Six months later, after TunnelBear worked on improving the security of its product, Cure53 conducted another assessment. This time, no critical vulnerabilities were discovered.

Advertisement. Scroll to continue reading.

Experts did find one high severity bug that could have been exploited by an attacker with direct access to the server to obtain files containing sensitive information. Cure53 also identified four medium, three low severity, and five informational issues.

All vulnerabilities have been patched by TunnelBear; only some of the findings rated “informational” remain unaddressed.

“The progress made by TunnelBear over the course of half a year demonstrates how the potential of a security audit and advice in the VPN realm may be harnessed to hoist up the safeguarding strategies within the entire software compound,” Cure53 said in a summary report. “After undergoing the first challenging security test which ended with several critical & high severity findings, the TunnelBear team seems to have redoubled efforts on security.”

TunnelBear said it had initially planned not to release the results of the initial audit, but later determined that being transparent better demonstrated its investment in security.

“Our plan is to earn trust and move the VPN industry in a new direction around transparency. While many VPN companies will continue to live in obscurity, with claims of protecting your security, it’s our hope that by completing the industry’s first 3rd party, public security audit, experts and consumers alike can be sure that TunnelBear delivers on its security promises,” TunnelBear said in a blog post.

Cure53 has also conducted detailed audits of NTP, Firefox Accounts, cURL and Dovecot.

Related: Audit Finds Only One Severe Vulnerability in OpenVPN

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...