A recent security audit conducted by Cure53 identified four high-severity vulnerabilities in NordVPN’s apps and features, highlighting critical security gaps.
The assessment, commissioned by NordVPN in mid-2024, involved penetration testing and source code reviews of its mobile, desktop, and browser applications. The flaws, now patched, affected Threat Protection, WebSocket TLS security, VPN handling, and Meshnet features.
Cure53’s findings
The Cure53 audit was performed by a team of eleven senior security testers over a 55-day period. The assessment uncovered a total of 31 security issues, with four rated as high severity. The most critical vulnerabilities included:
Web Protection Path Leak via Same-Origin Window (NOR-15-001)
This flaw allowed attackers to bypass NordVPN’s malware and ad-blocking features by exploiting browser same-origin policies. By opening a new window instead of an iframe, an attacker could bypass filtering and access blocked sites.
Direct Access to Top-Level Domains Bypasses VPN (NOR-15-006)
A flaw in NordVPN’s extension logic misclassified certain domains as private, allowing direct access outside the VPN tunnel. This bypassed the VPN entirely, even when the kill switch feature was enabled.
Threat Protection Ignoring WebSocket TLS Validations (NOR-15-007)
The Threat Protection feature failed to verify WebSocket TLS certificates, enabling potential man-in-the-middle (MitM) attacks where malicious actors could intercept or modify WebSocket communications.
NordFileshare Replaceable with a Bind Shell (NOR-15-023)
Attackers with local access could exploit NordVPN’s Meshnet feature by replacing the nordfileshare executable with a malicious bind shell, allowing remote access through the NordVPN firewall rules.
NordVPN’s response
NordVPN addressed all reported vulnerabilities following the audit, with Cure53 verifying the implemented fixes. There has been no mention of active exploitation of the said flaws in the wild.
While NordVPN promotes its strong security posture, the discovery of multiple high-severity flaws underscores the importance of continuous auditing in VPN services. In this case, NordVPN is a product that has gone through numerous audits over the years, yet new vulnerabilities, even high-severity problems, are still present in its apps. Those security gaps are typically introduced by new features and technologies implemented in the products, so the process of finding and fixing flaws is continual.
Users are advised to keep their VPN apps up to date to benefit from the latest security fixes and review their security and privacy settings to ensure they meet their needs.
Check out our in-depth review of NordVPN, its pros and cons, and how it competes with other offerings.
Microsoft: Chinese Hackers “Silk Typhoon” Now Target the IT Supply Chain
Proton VPN-Droid-ify
Cromite-Droid-ify