Mastodawn

@mullvadnet blogpost can be found at https://mullvad.net/en/blog/new-security-audit-of-account-and-payment-services

New security audit of account and payment services

Late last year X41 D‑Sec GmbH performed a white‑box source‑code audit of the Mullvad payment and account API and its supporting backend services.

Mullvad VPN

X41 D-Sec GmbH Jan 21

After auditing the @mullvadnet client applications in 2024, we have recently audited Mullvad VPN's API.
The API is used by clients, partners, and internal services to manage user accounts and parts of the VPN infrastructure.
Five issues were identified, of which only one had a very limited impact on users of the service.

The technical details may be found in our report. https://www.x41-dsec.de/security/research/news/2026/01/20/mullvad/

X41 Audited Mullvad VPN AB API

X41 releases the audit report of Mullvad VPN AB’s API and connected services

X41 D-Sec - Penetration Tests and Source Code Audits

X41 D-Sec GmbH Mar 12, 2025

https://x41-dsec.de/security/training/tableopt/exercise/2025/03/12/tabletop-exercises/

What are Tabletop Exercises (TTX) and why they matter to companies.

Intro to Tabletop Exercises (TTX)

What is a tabletop exercise (TTX) and why your company should run one.

X41 D-Sec

X41 D-Sec GmbH Mar 10, 2025

X41 performed an audit of Hickory DNS which is an open source Rust based DNS client, server, and resolver. We were sponsored by the great folks at @ostifofficial and supported by @ProssimoISRG

Our full report can be downloaded here: https://x41-dsec.de/security/research/job/news/2025/03/10/hickory-review-2025/

X41 Reviewed Hickory DNS

X41 finished auditing Hickory DNS and releases the resulting report.

X41 D-Sec

X41 D-Sec GmbH Dec 11, 2024

X41 Reviewed Mullvad VPN
https://x41-dsec.de/news/2024/12/11/mullvad/

Many thanks to the @mullvadnet team for the professional and good interaction during this audit!

X41 Reviewed Mullvad VPN

X41 releases the audit report of Mullvad VPN

X41 D-Sec

X41 D-Sec GmbH Sep 12, 2024

X41 released two advisories this week, one for Antragsgrün https://x41-dsec.de/lab/advisories/x41-2024-002-antragsgruen/ and one for chilkat https://x41-dsec.de/lab/advisories/x41-2024-003-chilkat-asn1/

Advisory X41-2024-002: Multiple Vulnerabilities in Antragsgrün

X41 discovered multiple vulnerabilities in Antragsgrün

X41 D-Sec

X41 D-Sec GmbH May 21, 2024

We just published our research on the use of power side channel analysis for fuzzing:
https://x41-dsec.de/news/2024/05/21/chipfuzz/

Using power side channel for fuzzing coverage

X41 explores using power side channels for fuzzing coverage guidance.

X41 D-Sec

X41 D-Sec GmbH Apr 10, 2024

Chilkat PRNG Vulnerability Impact on E2EE Messenger ginlo https://x41-dsec.de/news/2024/04/09/ginlo/

Chilkat PRNG Vulnerability Impact on E2EE Messenger ginlo

A proof of concept for how the vulnerability in Chilkat’s PRNG impacted an app using it.

X41 D-Sec

X41 D-Sec GmbH Apr 10, 2024

Advisory X41-2024-001: Weak Chilkat PRNG

https://x41-dsec.de/lab/advisories/x41-2024-001-chilkat-prng/

Advisory X41-2024-001: Weak Chilkat PRNG

The Chilkat library generated secret key material using a pseudorandom number generator not designed for cryptographic purposes. Attackers observing a sufficient number of outputs can recover past and future outputs of it. This includes, for example, key material generated with it, allowing attackers to decrypt or alter data protected by the key material.

X41 D-Sec

X41 D-Sec GmbH Feb 14, 2024

X41 reviewed the source code of BIND9 for security issues on behalf of the @iscdotorg . More details and the full report are available here:
https://www.x41-dsec.de/news/security/research/source-code-audit/2024/02/13/bind9-security-audit

X41 Source Code Audit of ISC BIND 9

X41 releases the code audit report of BIND 9

X41 D-Sec

Homepage	https://www.x41-dsec.de
Github	https://github.com/x41sec
LinkedIn	https://de.linkedin.com/company/x41