Researchers have unpacked 22 potential cybersecurity issues surrounding and adjacent to Google's new VPN, the Google One VPN.
Of these concerns, just three rose to the level of “medium severity,” while the rest were rated as low severity or “informational observations.”
Google has already fixed one of the biggest issues and a few others, but the new report notes that many of the flagged problems haven't yet been resolved. Google certainly has a decent track record for taking security bugs seriously (and even led the charge on patching up the open source software security industry recently), so we expect them to address these concerns sooner rather than later.
What Are the Google One VPN Security Issues?
Google asked for the report itself, using the third-party firm NCC Group, and the group has just released the entire 52-page public report to all online. Specifically, it's a technical component analysis and source code review, and the 24 findings can be broken down into three different categories:
- Three findings rated medium-severity
- Ten findings rated low-severity
- Nine findings rated as informational observations
Google has addressed one finding from each category, leaving a total of 19 remaining. The report details the top three medium-level security concerns first.
The biggest one is already fixed: It would have potentially left the Windows VPN application open to execution by someone with adminstrator access rather than stronger user restrictions.
“While NCC Group did not find any software vulnerabilities in this application, potential insecure coding practices could result in a privilege escalation attack. This issue was correctly addressed by Google during the retest, and now the application is executed with user privileges.” ~the report
The other two medium risk findings still remain. They both relate to the login process for both the Windows and MacOS versions of the VPN, and leave the service open to being denied availability by “local malicious applications” or could leak an OAuth token through temporary local ports.
Should You Use Google One VPN?
There are plenty of reasons why these security issues seem unlikely to pose a huge problem. For one thing, Google is well aware of all of them, having engaged NCC Group to investigate them in the first place, and Google knows it is in its own best interest to patch up all risks when it comes to security and user privacy.
Plus, even the more serious security concerns detailed above didn't rise to the level of high or critical severity, which is common with VPNs like Encrypt.me.
Ultimately, the Google One VPN is about as trustworthy as any other VPN on the market when it comes to security. That said, there is one reason why you may not want to opt for it: Anyone who uses Google's VPN will be funneling all their internet activity through Google, an internet tech giant with a long, storied history of scooping up data through third-party tracking software.
If you're a privacy-conscious type, keeping your activity hidden from the ad-tech duopoly of Google and Facebook is likely one of your priorities. To explore your smaller VPN options while keeping your internet use safe, secure, and speedy, we've rounded up all the top options over here.