VeePN Browser Extensions: Results from Independent Audit about Robust Security

General Information about Audit

VeePN covers more than 2500 servers and 50 locations. It intends to provide an exclusive connection speed. It enables you to surf the Internet effortlessly. There is no need to worry about bandwidth limits. VeePN makes every effort to ensure you have the fastest Internet experience.

VeePN wants to say that it is proud to present the results. VeePN Corp. requested to carry out a security assessment in February 2021 and then was quickly scheduled. A white-box approach was selected for this assessment. This enables a maximum possible breadth and depth of coverage. A team of two senior testers was provided by Cure53 to carry out an assessment. Cure53 was granted access to the uncompressed sources of Chrome and Firefox extensions with all other necessary information, test user accounts, etc.

Preparation for Assessment

VeePN Corp. performed all the needed preparations the week before the assessment to provide a smooth start for the Cure53 testing team. The process moved forward at a good pace. Communication was carried in an allotted and shared Slack channel which connected the workspaces of VeePN Corp. and Cure53. Noteworthy roadblocks were not discovered during the test.

Results of Test

The Cure53 team reported only three security-relevant discoveries. Two of them can be classified as security vulnerabilities, and the third is simply a general weakness with lower exploitation potential. One of the discoveries was given a “High score” because it led to a classic information leak in the Squid proxy error page. This is the most widespread discovery for VPN and proxy software setups.

Recommendations to Remove the Identified Vulnerabilities

For the “User-information leaked in Squid default error page” vulnerability, it is advised to modify the generic Squid error page and remove all user-related information.

For the “Auto-Protect feature bypass via domain trimming” vulnerability, it is advised to remove the code path. This guarantees that the WebExtension tunnels the domain, which was added by the user.

For the “XSS in pop-ups via server status code” vulnerability, it is advised to replace the innerHTML property with a secure option like innerText. This enables the display of the error to the user without risking displaying unintended HTML tags.

Note that all vulnerabilities were addressed and fixed during the assessment.

Brief Conclusion

The general impression about Firefox and Google Chrome VeePN WebExtension is very positive. All issues reported via Slack were immediately addressed by the VeePN team. All the fixes have been verified. The low number of findings means that the Cure53 team can conclude this project (carried out in spring 2021) with excellent outcomes for the VeePN Corp.

VeePN Corp. wants to thank Cure53 for their assessment and pleasant collaboration. Both Cure53 and VeePN teams carried excellent project coordination, support, and assistance before and during the assessment.

The VeePN Browser Extension is in the proper direction concerning its security design. The most widespread browser proxy mistakes have been successfully shunned with the help of good design and implementation decisions. WebExtensions can be regarded as an advantage of a strong security model.