VPNPro’s blog recently published a post that seemed to be a research based help piece, showcasing their supposed capabilities over the capabilities of their competitors. VPNPro claims that their test was able to intercept the connections of popular VPN providers, and in some cases, install malware disguised as a fake update.
Some of the VPNs that VPNPro claims were vulnerable are directly contesting the article. TorGuard is among those VPN providers.
The Claims Made by VPNPro
VPNPro’s tests were allegedly designed to see if the 20 most popular VPNs, selected by them, were able to be successfully hijacked. By hijacking, the company means that they attempted to intercept the connection with phony network update requests, and to see if the VPN would connect via their malicious connection.
The test went further as to attempt to install malicious updates via their intercepted connection. Out of the 20 VPNs tested, VPNPro claims that four would establish the connection and 16 would not.
Bug Bounties are Commonplace
Trustworthy VPN companies often invite bug hunters to test their VPNs and report the bugs, often providing some kind of generous reward for the discovery of these bugs. TorGuard is among these VPN providers that encourages sleuths and tech enthusiasts to deep dive on the hunt for possible errors or vulnerabilities. VPN companies are used to being scrutinized in a similar way. In fact, they rely on that scrutiny to fortify their products.
That having been established, a bug bounty scheme is not what transpired here.
Proper Bug Bounty Protocol (and What Actually Happened Here)
During a bug bounty, responsible reporting involves the individual who discovered the vulnerability privately disclosing it to the company responsible for fixing that vulnerability. In this case, VPNPro did reach out to Betternet and PrivateVPN with their findings. Both companies acknowledged the vulnerability, created patches, and sent their fixes to VPNPro for testing. Both VPN companies in conjunction with VPNPro have acknowledged that their discovered issues are now resolved.
Many of the companies who were tested by VPNPro found that
the publicly disclosed vulnerabilities did not actually exist, raising more
questions that do not actually have answers. A spokesperson for CyberGhost VPN
claims that they were absolutely never notified that a report was going to be
published, and they were never provided with evidence of the vulnerability that
VPNPro claims exists within their product.
VPNs Taking Legal Action Against VPNPro
To verify the authenticity of these bug hunting quests, the methodology and findings need to be properly recorded. The error needs to be able to be duplicated in order for developers to understand and properly repair that problem. The lack of clarification and evidence on VPNPro’s end regarding what they define as “intercepting a connection” and how they went about doing so is troubling to many VPN providers who have been told that they’ve failed a series of riddles, rather than an actual measurable series of properly conducted tests.
Alexandra Bideaua, a spokesperson for CyberGhost VPN, deconstructed the way she understands these ambiguous tests took place. She said that claiming that a vulnerability was discovered is the same as saying your mail is at risk because people can see the mailman carrying the mail bag. The contents of your letter are still sealed, and no one is able to intercept the actual data they contain.
This renders VPNPro’s tests completely useless – they weren’t able to actually access any of the data they’re claiming was vulnerable. VPN experts see VPNPro’s report as fearmongering – an attempt to poach uninformed customers from their competition with the use of scary keywords and highly ambiguous terminology. The bottom line is that VPNPro, despite the way they’ve worded their piece to be deliberately confusing, didn’t actually infiltrate anything.
Providers like CyberGhost VPN have threatened to take legal action against VPNPro, as this deliberately misleading smear campaign can damage the reputations of VPN companies that actually provide the highest possible quality of service.
TorGuard’s Official Statement
TorGuard is on VPNPro’s list, and we truly understand how CyberGhost VPN feels about this entire debacle. This is our official statement:TorGuard Statement
“This misguided ‘research’ by VPNPro is nothing more than click bait scare tactics sponsored by competing VPN firms. TorGuard’s app validates all outbound HTTPS calls with white-listed SSL certs and TLS 1.3. You can’t MITM our server or config. The article proves nothing and lacks evidence.”
TorGuard is safe and reliable. We are absolutely obsessed with the highest quality of privacy, and we work around the clock to assure that our network and software is safe and secure. We know our customers depend on us to keep them safe from hackers or malicious entities, and at the time of publication, no flaws have been found to exist within our system.