Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise
Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise
Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.
In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.
Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.
Vulnerabilities were found
X41 D-Sec discovered a total of six vulnerabilities.
- Three high-security vulnerabilities.
- Two medium-rated vulnerabilities.
- One low vulnerability.
Additionally, the researches found three issues with security impact.
Mullvad addressed the issues that were within scope. Some of the discovered issues are not fixable by Mullvad, as they are found in certain behaviors of operating systems or protocols.
The three security issues rated high are all fixed. They were:
- A potential heap corruption issue on Android, Linux, and macOS.
- An issue with the fault signal handler in mullvad-daemon affecting Android, Linux, and macOS.
- Use of taskkill.exe on Windows in the installer without use of absolute paths.
Not all issues can be fixed by Mullvad
One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.
On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.
It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.
Closing Words
Security audits find potential vulnerabilities, which companies may then fix proactively. They may also help instill confidence in existing or future users of the service, especially if conducted regularly.
Now it is your turn. Do you us a VPN solution? If so which and why? Feel free to leave a comment down below.
More like this
-
Apple reforms App Store rules to allow third-party payment methods in the U.S. but will still charge a commission fee
Apple reforms App Store rules to allow third-party payment methods in the U.S. but will still charge a commission feeRead more -
Winxvideo AI: Your One-Stop Video and Image Solution for upgrading your Media
Winxvideo AI: Your One-Stop Video and Image Solution for upgrading your MediaRead more
-
Microsoft needs to make Windows 11's Recall feature opt-in
Microsoft needs to make Windows 11's Recall feature opt-inRead more
-
PayPal-owned Honey accused of deceptive practices and more
PayPal-owned Honey accused of deceptive practices and moreRead more
-
Apple’s Passwords App Had a Major Security Flaw—Here’s What You Need to Know
Apple’s Passwords App Had a Major Security Flaw—Here’s What You Need to KnowRead more
