TunnelBear recently announce that it underwent its sixth annual independent security audit. While the audit was mostly good, it wasn’t perfect.
The audit found 32 vulnerabilities within TunnelBear’s infrastructure. According to TunnelBear, 32 different vulnerabilities were found within its systems and infrastructure. More than half of these (17) were only minor vulnerabilities, but the rest were major vulnerabilities that needed TunnelBear’s attention.
Having so many vulnerabilities exposed during an audit is a lot — threat actors will take advantage of frontend or backend vulnerabilities to try obtaining personal data, sabotaging the company, or worse in an attempt to steal from their victims.
While this may sound like a poor audit, keep in mind that TunnelBear has rapidly expanded its infrastructure over the last few years, and it’s very normal for software to have some vulnerabilities build up during large infrastructure changes. On top of that, 6 years ago, TunnelBear was one of the first VPNs to get a third-party audit for their consumer VPN. Audits are meant to expose vulnerabilities in programs, so finding them now is the best-case scenario.
TunnelBear worked to immediately patch these vulnerabilities. Currently, it has fixed all but five of these vulnerabilities and is working to fix the rest. Its worth noting that the audit done by the reputable cybersecurity firm, Cure53, also highlighted that their front-end security is very good — meaning it’s unlikely that attackers will be able to take your data or decrypt your information because of these backend vulnerabilities (that have largely been patched.)
You can read the full report by Cure53 here, but to break it down — Cure53 had eight employees spend a total of 42 days combing through TunnelBear’s infrastructure to find every issue possible. They examined public websites, VPN infrastructure (both front-end and back-end), each TunnelBear application, and more while documenting their findings.
Source of Article