This time, no critical vulnerabilities were discovered.Įxperts did find one high severity bug that could have been exploited by an attacker with direct access to the server to obtain files containing sensitive information. Six months later, after TunnelBear worked on improving the security of its product, Cure53 conducted another assessment. Testers also discovered 13 medium, 8 low and 13 informational issues during the initial audit. The Android app could have been caused to crash and lose the connection. The API weaknesses allowed cross-site request forgery (CSRF) attacks that could be used to cancel subscriptions, and phishing attacks via invite emails. The browser extension also allowed attackers to force victims into making requests with the VPN disabled.Īs for the macOS client, it was affected by a vulnerability that could allow local root privilege escalation via a malicious application installed on the host.ĭuring the 2016 testing, Cure53 also discovered three high severity flaws affecting the TunnelBear API and Android application. In both cases, testers had access to servers and source code.Ī significant number of serious vulnerabilities were uncovered in the initial tests, including three critical flaws affecting the browser extension and the macOS client.Įxperts discovered that the browser extension VPN could easily be turned off by getting the targeted user to access a specially crafted webpage. Two separate audits were conducted: one in late 2016 and one in the summer of 2017. Germany-based security firm Cure53 has analyzed the entire TunnelBear infrastructure, including servers, clients, browser extensions and website. TunnelBear has commissioned a third-party audit of its virtual private network (VPN) application and only a few vulnerabilities have been found in recent versions of the product.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |