Malwarebytes VPN - Third-Party Audit Reveals Vulnerabilities
Basically, Malwarebytes had experts check their VPN for security problems.
Malwarebytes Privacy VPN completed a third-party audit revealing critical vulnerabilities. The company is addressing these issues to enhance user security and privacy. Trust in your VPN provider is essential, and Malwarebytes is committed to transparency.
What Happened
Malwarebytes has recently completed its first third-party audit of the Malwarebytes Privacy VPN and AzireVPN infrastructure. This audit is crucial for verifying the security measures and privacy promises made by VPN providers. Conducted by the penetration testing firm X41 D-Sec, the audit aimed to uncover any vulnerabilities that could compromise user privacy.
Audit Findings
The audit revealed a total of six vulnerabilities categorized by severity:
- 2 Critical
- 0 High
- 2 Medium
- 2 Low
The critical vulnerabilities were particularly concerning, with one receiving a CVSS score of 9.4 and the other a score of 9.3. These scores indicate a high level of risk, necessitating immediate attention.
Details of Critical Issues
The first critical issue involved the server setup process. Malwarebytes' servers download a Debian image to install the operating system. However, the audit found that the checksum for this image was not properly validated, allowing potential attackers to deliver a modified version of the software.
The second critical issue related to the Preboot Execution Environment (PXE) used during server boot-up. This process lacked cryptographic signatures, making it susceptible to Man in the Middle attacks. Although significant physical access would be required for such an attack, the risk remains serious.
What’s Being Done
Malwarebytes has already addressed one critical vulnerability and is actively working on fixing the remaining critical issue, along with other identified vulnerabilities. The company emphasizes its commitment to user privacy and transparency, stating that it does not log user activity and tightly controls access to its systems.
Industry Implications
This audit highlights the importance of third-party evaluations in the VPN industry. Many VPN providers do not undergo such scrutiny, leaving users unaware of potential vulnerabilities. With 77% of Android VPNs reportedly having significant flaws, Malwarebytes aims to set a standard for transparency and accountability.
Conclusion
The results of this audit are a step forward for Malwarebytes and its users. By openly sharing the findings and actively addressing vulnerabilities, the company reinforces its commitment to user privacy. As the VPN landscape continues to evolve, regular audits will play a crucial role in ensuring the security and trustworthiness of these services.