Independent auditors at leading firm Cure53 confirmed that the ExpressVPN browser extension for Chrome and Firefox is secure as it protects "against the majority of severe threats."
ExpressVPN is arguably the most proactive among the best VPN companies on the market when it comes to putting its service under external scrutiny. This is the 19th time the provider has undergone a third-party audit since 2018. Specifically, it's the second security assessment of its VPN browser extension – the first was carried out in 2022.
How has the ExpressVPN browser extension been audited?
Experts at Cure53 took a deep dive into the VPN infrastructure to ensure that, as of June 2024, the ExpressVPN browser extension works as promised.
Specifically, auditors employ a white-box testing approach, performing penetration tests and source code audits to assess the security offered by the ExpressVPN browser extension. The testing lasted six days.
Part of the analysis focused on the potential for a malicious extension to exploit the communication channel – the VPN browser extension – to take control of the virtual private network (VPN).
Besides a secure VPN browser extension and dedicated apps for all devices, ExpressVPN also offers a speedy built-in VPN router, ExpressVPN Aircove. Experts at Cure53 inspected its security and privacy features ahead of the launch in 2022, gaining "a positive impression" overall.
"Fortunately, the review yielded positive results, as no such vulnerabilities were identified," Cure53 wrote in its assessment report, adding that no misconfigurations within the software were found, either.
The audit identified only two small issues – one labeled as a medium severity vulnerability and one as a general weakness – directly related to the functionality in charge of spoofing your real location.
While suggesting ExpressVPN resolve these issues to bolster "the already robust security posture of the VPN extension," Cure53 confirmed that both vulnerabilities have low exploitation potential.
"The overall number of findings made during this engagement was very small, and this can certainly be interpreted as a positive sign in regards to the security of the inspected VPN browser extension," reads the report. "All in all, Cure53 would like to congratulate the ExpressVPN team on their excellent work."
Regular independent audits on VPN products have become an industry standard – a way for privacy-focused providers to back up their claims with hard facts. Ultimately, the aim is to empower people to look beyond marketing ploys and get a truly secure VPN service.