NordVPN Passes a Cure53 Audit

Reading time icon 3 min. read


Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

NordVPN passes a Cure53 audit

NordVPN has announced that it underwent and passed a series of tests in 2022.

Berlin-based Cure53 audited the company’s apps, browser extensions, server infrastructure, and the Threat Protection feature.

The testing took place over several months and it showed that the provider lives up to its claims of having a good infrastructure and offering top-notch security.

The structure of the audit

In its official reports, Cure53 detailed the scope, results, and conclusory summaries of the tests. 

In July and August 2022, the company conducted a number of white-box tests against NordVPN’s apps and add-ons.

→ This first part of the audit took a total of 52 days and Cure53 divided these initial assessments into three separate work packages (WPs):

  • WP1: Testing NordVPN’s Windows, Linux, and macOS apps
  • WP2: Testing NordVPN’s browser extensions and Android and iOS apps
  • WP3: Testing NordVPN’s web applications, services, and APIs

The company released a detailed report on this part of the audit, detailing all vulnerabilities and issues discovered.

→ The second round of testing took a total of 25 days in September and October 2022. It included server and infrastructure examinations.

Unlike the first phase, the second part of the audit was conducted in a single work package.

NordVPN provided its codebase and detailed supporting documentation to the audit company for this assessment.

Cure53 published the results of this phase of the audit in a second report.

Several vulnerabilities fixed

As mentioned above, the auditor discovered some vulnerabilities and issues. However, Cure53 stated that this is the typical volume of problems for a score of this magnitude.

The company provided detailed information on each of them in its reports and classified them according to the severity of the problem.

For example, the tests showed that an attacker could change the file path for the saveExtension function to load an arbitrary extension. Cure53 then provided the coding in question, highlighting the problem.

The company states in its reports that NordVPN fixed most of the vulnerabilities and issues found.

It also points out that they didn’t address some of the minor issues due to proper solutions introducing additional complexities and dependencies.

Since the number of vulnerabilities and issues wasn’t higher than usual, Cure53 said that NordVPN’s “entire client software complex has already made strong progress from a security perspective.”

The VPN provider further stated that it always strives to offer the highest quality of service to its customers.

NordVPN previously passed its third no-log policy audit by Deloitte in January. One of its competitors, Surfshark, passed the same audit soon after.

User forum

0 messages