“Cure53” Has Audited NordPass and Verified Its Robust Security

  • NordPass was audited by penetration testers “Cure53” and found to be entirely secure.
  • The researchers discovered nine issues with the product, which were fixed by the developers.
  • NordPass just introduced a new feature called “Trusted Contacts” to celebrate the audit success.

“Cure53”, the Berlin-based penetration testing firm that has previously conducted audits on ExpressVPN and on TunnelBear, was now called to look into NordPass. This tool is a password manager launched last November by security expert “NordVPN.” During our hands-on review, we praised the product’s simplicity, high-end encryption (XChaCha20), and zero-knowledge architecture, but we wouldn’t say no to a couple of more advanced options geared towards power-users. Still, NordPass proved to be a solid option in a crowded space of fierce competition, especially for what concerns the users’ privacy protection.

Now, Cure53 comes to confirm its security as well, creating a solid basis for NordVPN’s new product to build its reputation on. More specifically, the penetration testers looked deep into the product’s source code, its codebase, and the cryptographic system used in the application, trying to figure out if there are any vulnerabilities that would compromise the users’ privacy and security. The auditing process lasted for several months, as there were a lot of elements that needed to be analyzed.

The four key areas where Cure53 focused on were the following:

  1. Reviewing the cryptographic premise
  2. Completing a pen test of the software and a source code audit
  3. Completing a pen test and source code audit of the NordPass background application
  4. Reviewing API touchpoints

The testers followed the “white-box” methodology for the auditing process, which means that NordVPN shared everything with them, including source code, accompanying information, and full documentation. White-box testing is very thorough, and can expose flaws that may be quite hard for actors to realistically ever achieve to exploit. Moreover, it often leads to code optimizations, provides an introspection opportunity for the programmers, and gives traceable results.

Cure53 did find nine issues during the testing, and NordVPN’s team was able to address them all before the auditing was concluded. As the team behind NordPass stated, they celebrated this success by introducing a new feature called “Trusted Contacts.” This allows users to manually exchange their encryption keys, thus minimizing the risk of man-in-the-middle attacks. While this is great without a doubt, it would be even better if that feature was incorporated into the app before Cure53 was contracted, as the code of that new feature would have been tested too. Leaving that small detail aside, users of NordPass should be even more confident that their information is appropriately protected inside the app’s vault.


Recent Articles

How to Hide VPN IP Addresses (4 Options That Work)

There are tons of online guides that talk about how you can hide your IP address (here's our own). But we have yet to...

How to Watch ‘Black Clover’ Season 1 – 3 (Dub & Sub) Online

When it comes to manga and anime, everyone has favorites. Well, Black Clover is the favorite of many of our team members, and we're...

Browser Fingerprinting and You (What It Is, How It Works, How It Violates Your Privacy, and What You Can Do)

Many people use VPNs to protect their privacy by hiding their IP address. Websites, hackers, advertisers, and ISPs can't track your geo-location and digital...