Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has also recently started running encrypted DNS servers in RAM. You can also purchase Mullvad codes on Amazon or in other ways that keep you anonymous.
end of 2024Mullvad asked Germany-based X41 D-Sec to audit the service, making it the fourth external security audit since 2018.
The company’s engineers were tasked with auditing the source code and performing penetration testing of Mullvad’s VPN apps across all platforms. This took place between October and November 2024.
vulnerabilities found
X41 D-Sec discovered a total of six vulnerabilities.
- Three high-security vulnerabilities.
- Two moderate weaknesses.
- A lower vulnerability.
Additionally, the research found three issues with security implications.
Mullvad addressed the issues that were in scope. Some of the issues discovered are not fixable by Mullvad, as they are found in certain behaviors of the operating system or protocols.
Three high-rated security issues have been fixed. They were:
- Potential heap corruption issue on Android, Linux and macOS.
- An issue with the fault signal handler in mulvad-daemon, affecting Android, Linux, and macOS.
- Using Taskkill.exe on Windows in the installer without using absolute paths.
Not all issues can be fixed by Mullvad
For example, an issue, Rated Medium, that could leak the virtual IP addresses of tunneled devices in the network to adjacent participants only affected Linux and Android. On Linux, Mullvad solved the problem by changing a kernel parameter.
On Android, Mullvad’s app has no control over that parameter. The company reported the issue to Google, hoping Google will change the default behavior on Android to address it.
It should be noted that this issue also affects other apps on Android. Mullvad says he does not consider the leak to be of high seriousness. However, this may leak the tunnel IP to observers. The IPs are changed monthly, but the client also gets a new IP address upon signing out of the app and signing in again.
concluding words
Security audits detect potential vulnerabilities that companies can proactively fix. They can also help to build confidence in existing or future users of the service, especially if it is conducted regularly.
Now it’s your turn. Are you the VPN solution for us? If yes then which one and why? Feel free to leave a comment below.
Thanks for reading..
