The final report of the external security audit on our VPN app, version 2018.2, is now publicly available.
As summarized in the report, "the assessment yielded a total of seven issues, which [is] an exceptionally small number given the complex field of the VPN software and the connected, vast attack surface."
Of those seven, six issues related to the app, none of which were remotely exploitable. In addition, the testers found no traffic leaks and no ways for a network-based attacker to force leaks. The remaining issue had to do with our website.
Read the report
Read the final audit report, made available on Cure53's website.
Also public is the initial report which is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology, they adjusted the report to provide better clarity and produced the final version.
An independent audit helps to discover potential security vulnerabilities and fix them, all resulting in an even better service. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.
Thanks to the audit's findings, we prioritized our app development accordingly and released version 2018.3. Be sure you're using the latest version of the Mullvad VPN app – download now.
Overview of findings
Of the seven issues found, the two identified vulnerabilities required local access to the computer. Of the five miscellaneous issues, three required local access, one pertained to our website, and the last one reflected on software dependencies.
Regarding the five findings that depended on local access, it should be noted that in general we do not consider attackers with local access to be part of our threat model. Nonetheless, we will of course consider all recommendations made by the auditors to further improve the security of our app.
Please feel free to contact us if you have any questions after reading this post or the audit report.
- MUL-01-004 Windows: Privilege escalation by replacing executables (Critical)
Our comment: Solved in app version 2018.3. Under certain conditions, a user with local access could abuse the app to gain administrative privileges.
- MUL-01-006 Daemon: Any user can issue WebSocket commands (High)
Our comment: Any user with local access can control the app. This is currently intentional, but we will consider the auditors' recommendations. It should also be noted that we replaced WebSocket with IPC.
As described by the auditors, "This section covers those noteworthy findings that did not lead to an exploit but might aid an attacker in achieving their malicious goals in the future.
"Most of these results are vulnerable code snippets that did not provide an easy way to be called. Conclusively, while a vulnerability is present, an exploit might not always be possible."
- MUL-01-001 App: Missing Browser Window preferences allow RCE (Info)
Our comment: Requires a local user to drag a malicious file onto the app window. We are looking into this.
- MUL-01-002 App: WebSocket leaks real IP addresses and geolocation (Medium)
Our comment: By its current design, all local users should be able to query the app for current status and information. See also MUL-01-006. We are looking into this.
- MUL-01-003 Daemon: Weak permissions on config and log files (Low)
Our comment: A local user can read the configuration and log files of the app. We are looking into this.
- MUL-01-005 OOS: CSRF on adding and removing forwarded ports (Low)
Our comment: Fixed on 20 September 2018.
- MUL-01-007 App: Lax version requirements for Node dependencies (Info)
Our comment: We are looking into this.