“Cure53” Has Audited NordPass and Verified Its Robust Security

Written by Bill Toulas
Last updated May 13, 2020

“Cure53”, the Berlin-based penetration testing firm that has previously conducted audits on ExpressVPN and on TunnelBear, was now called to look into NordPass. This tool is a password manager launched last November by security expert “NordVPN.” During our hands-on review, we praised the product’s simplicity, high-end encryption (XChaCha20), and zero-knowledge architecture, but we wouldn’t say no to a couple of more advanced options geared towards power-users. Still, NordPass proved to be a solid option in a crowded space of fierce competition, especially for what concerns the users’ privacy protection.

Now, Cure53 comes to confirm its security as well, creating a solid basis for NordVPN’s new product to build its reputation on. More specifically, the penetration testers looked deep into the product’s source code, its codebase, and the cryptographic system used in the application, trying to figure out if there are any vulnerabilities that would compromise the users’ privacy and security. The auditing process lasted for several months, as there were a lot of elements that needed to be analyzed.

The four key areas where Cure53 focused on were the following:

  1. Reviewing the cryptographic premise
  2. Completing a pen test of the software and a source code audit
  3. Completing a pen test and source code audit of the NordPass background application
  4. Reviewing API touchpoints

The testers followed the “white-box” methodology for the auditing process, which means that NordVPN shared everything with them, including source code, accompanying information, and full documentation. White-box testing is very thorough, and can expose flaws that may be quite hard for actors to realistically ever achieve to exploit. Moreover, it often leads to code optimizations, provides an introspection opportunity for the programmers, and gives traceable results.

Cure53 did find nine issues during the testing, and NordVPN’s team was able to address them all before the auditing was concluded. As the team behind NordPass stated, they celebrated this success by introducing a new feature called “Trusted Contacts.” This allows users to manually exchange their encryption keys, thus minimizing the risk of man-in-the-middle attacks. While this is great without a doubt, it would be even better if that feature was incorporated into the app before Cure53 was contracted, as the code of that new feature would have been tested too. Leaving that small detail aside, users of NordPass should be even more confident that their information is appropriately protected inside the app’s vault.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: