Researchers Uncover 22 Security Concerns Surrounding Google One VPN

The Google VPN's source code review is out, and it found a couple dozen potential privacy issues. Here's what to know.

Researchers have unpacked 22 potential cybersecurity issues surrounding and adjacent to Google's new VPN, the Google One VPN.

Of these concerns, just three rose to the level of “medium severity,” while the rest were rated as low severity or “informational observations.”

Google has already fixed one of the biggest issues and a few others, but the new report notes that many of the flagged problems haven't yet been resolved. Google certainly has a decent track record for taking security bugs seriously (and even led the charge on patching up the open source software security industry recently), so we expect them to address these concerns sooner rather than later.

What Are the Google One VPN Security Issues?

Google asked for the report itself, using the third-party firm NCC Group, and the group has just released the entire 52-page public report to all online. Specifically, it's a technical component analysis and source code review, and the 24 findings can be broken down into three different categories:

  • Three findings rated medium-severity
  • Ten findings rated low-severity
  • Nine findings rated as informational observations

Google has addressed one finding from each category, leaving a total of 19 remaining. The report details the top three medium-level security concerns first.

The biggest one is already fixed: It would have potentially left the Windows VPN application open to execution by someone with adminstrator access rather than stronger user restrictions.

“While NCC Group did not find any software vulnerabilities in this application, potential insecure coding practices could result in a privilege escalation attack. This issue was correctly addressed by Google during the retest, and now the application is executed with user privileges.” ~the report

The other two medium risk findings still remain. They both relate to the login process for both the Windows and MacOS versions of the VPN, and leave the service open to being denied availability by “local malicious applications” or could leak an OAuth token through temporary local ports.

Should You Use Google One VPN?

There are plenty of reasons why these security issues seem unlikely to pose a huge problem. For one thing, Google is well aware of all of them, having engaged NCC Group to investigate them in the first place, and Google knows it is in its own best interest to patch up all risks when it comes to security and user privacy.

Plus, even the more serious security concerns detailed above didn't rise to the level of high or critical severity, which is common with VPNs like Encrypt.me.

Ultimately, the Google One VPN is about as trustworthy as any other VPN on the market when it comes to security. That said, there is one reason why you may not want to opt for it: Anyone who uses Google's VPN will be funneling all their internet activity through Google, an internet tech giant with a long, storied history of scooping up data through third-party tracking software.

If you're a privacy-conscious type, keeping your activity hidden from the ad-tech duopoly of Google and Facebook is likely one of your priorities. To explore your smaller VPN options while keeping your internet use safe, secure, and speedy, we've rounded up all the top options over here.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Building a Website? We've tested and rated Wix as the best website builder you can choose – try it yourself for free Try Wix today