Independent security audit concluded

IVPN News By Nick Pestell | Posted on January 23, 2020

We’re pleased to announce that an independent security audit of the IVPN service conducted by Cure53 has concluded. The audit was conducted by 6 members of the Cure 53 team over 21 man-days in late November and December.

The purpose of the audit was to evaluate the security of our information systems by measuring how well they conform to a set of security best practices. The audit identifies vulnerabilities that may affect the security or privacy of our customers and provides recommendations on how to resolve them. However, an audit only provides a snapshot of the systems in scope during the period in which it was conducted. We hope that publishing the results of these audits increases our customer’s confidence in the security of our systems and demonstrates our commitment to operating transparently wherever possible.

The scope of the audit was very extensive and included our public VPN service infrastructure, our internal backend servers supporting our VPN service and penetration testing of our public web servers. A white-box approach was used whereby Cure53 was given full access to all our code repositories and a dedicated audit environment created to replicate our exact production environment. No access to production VPN servers or infrastructure was granted to members of the cure53 team.

A total of 9 issues (3 high, 2 medium, 3 low, 1 info) were discovered, all of which were either immediately resolved or have since been resolved. Although the general assessment concludes the audit on the positive note and the vast majority of infrastructure was shown to be designed with high levels of security, the audit identified two vulnerabilities which we’d like to expand on below.

  1. Disabled CSRF token

During the audit it was identified that CSRF protection middleware on the IVPN website was commented out.

Although it was re-enabled immediately, it showed that our development process failed to protect us from this code being deployed in the first place. We believe that the code disabling CSRF was pushed to production accidentally by a developer with intention to debug some transient issue on staging and then merged it to production branch.

The attacker would yield no personal data (beyond what would be required to be already known for the attack to succeed) or affect the privacy or security of the customers VPN service in any way. The only possible adverse effect would be locking the user out of their account by modifying their password. Regardless, we take this vulnerability very seriously and have already done the following to ensure this vulnerability can’t be exposed again:

2. Add-on modules vulnerabilities

We have a legacy system from the early years of our business which contained modules with various security issues. This system has multiple levels of protection and were only accessible to someone

Although only a few people in the company could theoretically exploit these modules, we acknowledge that they should have been removed earlier and it shows that we had a blind spot in the legacy part of our infrastructure. To resolve this issue we immediately deactivated the insecure modules.

Commitments going forward

We believe that extensive regular audits are necessary to ensure our customer’s security and continued trust. We are committed to conducting an annual audit of all our infrastructure. We will initiate another comprehensive audit of similar scope towards the end of this year and every 12 months after that.

We have made available the Cure53 report for those interested in more detail. For transparency we decided to publish the full report with only the details about the vulnerabilities removed to ensure sensitive information about our infrastructure was not exposed (internal hostnames, code snippets etc).

IVPN Team

Audit Transparency
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

8 Comments

John Ivpnuser

29.01.2020

I can’t seem to access the report!?

John Doe

31.01.2020

Thank you to everyone involved in the audit and being transparent about it. I understand that not every minor detail cannot be covered, but it’s good to at least know that you guys are making an effort to show things are being done. Again thank you, I don’t see much activity in regards to promotion of your services but I hope I prosperous new year to you all and that you keep this transparency up in the future.

Viktor Vecsei

05.02.2020

The link is working on our end. Please contact our customer service team here if you still can’t access it: /contactus - they are ready to send it to you directly through other channels.

cure69

04.03.2020

great to see, thanks for doing this =)

Jorge

14.03.2020

I am not that IT literate; So how if at all does this audit correlate to logging" either network or user related?

spinon

15.03.2020

The total number of issues found in the Cure53 audit (9) does not tally with the sum of the numbers in parentheses. Why the glaring discrepancy?

Viktor Vecsei

14.04.2020

No-logs claim specifically was scrutinized in an earlier audit: https://www.ivpn.net/blog/ivpn-no-logging-claim-verified-by-independent-audit/

Viktor Vecsei

14.04.2020

The number of low errors indicated in the original blog post (1) was incorrect. It is actually 3 - as visible in the full audit PDF linked. So the total issue count was shown correctly, while we made a basic addition error on that specific type. This is now fixed. Sorry.
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN preparing for 6th annual security audit IVPN News

IVPN preparing for 6th annual security audit

Posted on February 15, 2024 by Nick Pestell

Consistent with our pledge to conduct a yearly review of our systems, we have commissioned the independent security auditing organisation Cure53 to perform a security audit in March 2024. As we remarked last year, audits we arrange focus on parts of our systems that received significant updates.
IVPN News

Change of company name to IVPN Limited

Posted on August 10, 2023 by IVPN Staff

We have officially changed the name of the company operating IVPN from Privatus Limited to IVPN Limited. Ownership structure, jurisdiction, address and administrative registration details are unchanged. The reason for this move is to bring our product and brand name into alignment, reducing confusion and providing clarity to customers, partners and other parties about the operator of the service.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.