In an effort to identify and fix any security vulnerabilities, TunnelBear VPN conducted its first security audit just a couple of months ago and promptly resolved the issues discovered in the process. However, the latest research conducted by security experts from the University of Birmingham revealed that TunnelBear still has some issues it needs to address. Namely, the researchers discovered that a number of iOS and Android apps, including TunnelBear VPN app, suffer from security flaws that make them vulnerable to the infamous “man-in-the-middle” attacks. Here is what that means and what can be done about it.
Spoofable Certificates
The main problem lies in the way the apps in question are currently handling certificate pinning, that is, the way they are determining which certificates are trusted for particular servers. The issue occurs when the apps are establishing a TLP connection, which is a point at which they become vulnerable to interceptions and open up a window for hackers to spoof the certificate being handled. This can endanger the safety of users, whose login details and online activity data may become available to third parties.
Security flaws of this kind are far from uncommon and it is fortunate that this particular flaw has been identified before any major security breach. Keeping in mind that TunnelBear has already proved to be a trustworthy service that does its best to protect its users, we have no doubt that it will find a proper solution to this problem quite soon. We believe it would be wise to take the advice offered by the researchers who discovered the flaw in the first place and provide standardized pinning implementations that can prevent these issues from arising in the future.
For now, we are waiting for TunnelBear to come out with an official statement regarding this security flaw and we sincerely hope that we will have some good news for you soon. Stay tuned for updates.