Today we’re happy to announce the completion of an independent security audit of Opera’s free built-in browser VPN. Opera’s free, no-log, built-in browser VPN was originally launched as part of the PC browser in 2016 and later added to the Opera browser on Android. It provides our users with an enhanced level of browser privacy.
The audit of our browser VPN was conducted by Cure53, a renowned cybersecurity firm based in Berlin with more than 15 years experience running software testing and code auditing. During the review, fourteen issues were identified, seven directly relating to the browser VPN, all of which were subsequently resolved. The fixes were then verified by Cure53. The audit was part of Opera’s third-party security review program, which complements our internal review programs and helps improve the overall security of our products.
The testing scope of the audit included: VPN backend infrastructure, desktop client-side implementation, and mobile browser client-side implementation. The Cure53 team was provided with the VPN source code, configuration details, documentation and access to internal infrastructure in order to conduct white-box penetration testing.
Cure53 identified a few issues in the VPN product, all of which were fixed by the Opera product team in accordance with and verified by Cure53.
A few of the issues found in Mini (Used in Android Opera configuration delivery) were considered low-risk due to other measures in place around them. These issues were not directly related to VPN privacy/security and do not compromise it in any way.
You can read the executive summary of the audit work done here.
We are very satisfied with the project and plan to include more third-party partners in our security efforts and to publish more reports of this kind in the future. The Opera security team assesses the security of our products internally and on a continuous basis to ensure our users are protected from online threats.
If you are a security researcher and would like to contribute to the assessment of our products and services, we suggest you participate in our bug bounty program. We can also share a detailed VPN assessment with researchers who specialize in browser security upon their request.