ExpressVPN browser extension aced third-party security audit
It's the second time the VPN provider put its browser extension under independent scrutiny
Independent auditors at leading firm Cure53 confirmed that the ExpressVPN browser extension for Chrome and Firefox is secure as it protects "against the majority of severe threats."
ExpressVPN is arguably the most proactive among the best VPN companies on the market when it comes to putting its service under external scrutiny. This is the 19th time the provider has undergone a third-party audit since 2018. Specifically, it's the second security assessment of its VPN browser extension – the first was carried out in 2022.
How has the ExpressVPN browser extension been audited?
Experts at Cure53 took a deep dive into the VPN infrastructure to ensure that, as of June 2024, the ExpressVPN browser extension works as promised.
Specifically, auditors employ a white-box testing approach, performing penetration tests and source code audits to assess the security offered by the ExpressVPN browser extension. The testing lasted six days.
Part of the analysis focused on the potential for a malicious extension to exploit the communication channel – the VPN browser extension – to take control of the virtual private network (VPN).
Besides a secure VPN browser extension and dedicated apps for all devices, ExpressVPN also offers a speedy built-in VPN router, ExpressVPN Aircove. Experts at Cure53 inspected its security and privacy features ahead of the launch in 2022, gaining "a positive impression" overall.
"Fortunately, the review yielded positive results, as no such vulnerabilities were identified," Cure53 wrote in its assessment report, adding that no misconfigurations within the software were found, either.
The audit identified only two small issues – one labeled as a medium severity vulnerability and one as a general weakness – directly related to the functionality in charge of spoofing your real location.
While suggesting ExpressVPN resolve these issues to bolster "the already robust security posture of the VPN extension," Cure53 confirmed that both vulnerabilities have low exploitation potential.
"The overall number of findings made during this engagement was very small, and this can certainly be interpreted as a positive sign in regards to the security of the inspected VPN browser extension," reads the report. "All in all, Cure53 would like to congratulate the ExpressVPN team on their excellent work."
Regular independent audits on VPN products have become an industry standard – a way for privacy-focused providers to back up their claims with hard facts. Ultimately, the aim is to empower people to look beyond marketing ploys and get a truly secure VPN service.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example:
1. Accessing a service from another country (subject to the terms and conditions of that service).
2. Protecting your online security and strengthening your online privacy when abroad.
We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com