TorGuard copied its Chrome extension and implemented it insecurely

Yesterday went on the record to announce its discovery that rival VPN, TorGuard, has in fact copied the design for its Chrome extension. The discovery, which was made by one of’s customers, was first announced on Twitter where it caused quite a stir amongst the technology and infosec community.

Following the announcement, soon added a blog on the discovery to its website. In it they explain that not only has TorGuard stolen its design (a move that is strictly prohibited according to its terms of service,) but has also been using its geolocation API server address. That geo-IP API server belongs to, and it is now hosting this picture on it to prove that it is theirs.

Screenshot 2015-07-22 11.56.18 has also revealed that by using its API server TorGuard has implemented its browser proxy service in an entirely insecure way, meaning that users of TorGuards Chrome extension have in fact not been receiving the secure service that Torguard’s product promises,

‘An advice to Torguard: when copying someone else’s work, please also consider your users.’

Explaining why they decided to go public with the announcement,’s blog says,

‘We make this public to avoid the awkward moment when someone might accuse us of copying them and not the other way around.’

This move, however, was not strictly necessary considering that anybody can use a program like CRX source viewer to view the open source code for its app. In this way, anyone can quickly verify within the webstore, that TorGuard’s app is indeed nearly entirely an imitation.

Add to this the fact that released its Chrome extension on December 17, 2014, and that even its Firefox extension was released in advance of TorGuard’s Chrome extension (this May), and you get a pretty clear picture of what has happened.

In its blog, was quick to point out just why using someone else’s API is such a huge mistake,

‘Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor.’

Luckily for TorGuard, had no reason to log user IP addresses (because they offer a secure service and don’t look at IP addresses themselves).  The truth, however, is that TorGuard have gotten off lightly because a more malicious competitor could have redirected them or forged the JSON replies to mess-up with the extension’s functionality. This sentiment was reiterated by Twitter user @blowdart who said,

@vpnac missed a chance for mischief, could have returned much more interesting things as location strings.’

In its blog, also goes on to explain other security aspects involved in the copycat extension, explaining, almost unbelievably, that TorGuard had failed to copy the most important parts of the code,

Not everything from our app was copied (they missed the good parts!), for example, the storage of credentials and the update of active servers via JSON queries:

  • TorGuard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials.
  • The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack;
  • TorGuard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirrored (in case you don’t want to wait for the test to finish). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2)’

Luckily for TorGuard customers’ has not behaved in a harmful way, or decided to engage in any form of revenge tactics. Instead electing to move forward by simply announcing its discovery to the world – a move that it can not be faulted for.

For this reason, although we advise current TorGuard users to not be overly worried about the security breach, we do strongly recommend moving away from its VPN service in favour of something that has not been proven to be a total security let down.

Sadly, we have not been able to get a response out of TorGuard following the discovery. In fact, the only reply to the issue was directed at’s Twitter where it simply replied ‘K THX’ to the allegations. Not exactly an encouraging response to such an enormous issue from a reputable brand that has been caught with its trousers down.

Since the announcement, TorGuard has removed’s geo API servers from its app, but remains unapologetic for maliciously copying its app design.



Ray Walsh I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR and I am an advocate for freedom of speech, equality and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood and love to listen to trap music.

Related Coverage


8 responses to “TorGuard copied its Chrome extension and implemented it insecurely

  1. I just looked up to see what the story was there
    they are headquartered in romania!

    you think you can trust your private information flowing through old soviet block countries… the hotbead of advanced persistent threat activity

    so maybe tor guard is ok
    maybe is ok

    I’m going to continue looking
    find someone with an HQ in the united states

    checking out hidemyass and relooking at anonymizer to see who owns/manage them today

    good luck!

    1. Hi Secured Today,

      I really do not recommend HMA when it comes to privacy or trustworthiness. Try AirVPN, BolehVPN, and Mullvad…

  2. ugh. I ran into this set of articles as I was researching tor guard prior to making a purchase. for most of you that don’t know (ye consumers) the most important part of buying an anonymous vpn is the trust in the supplier. If they are corrupt, or have investors that can control their traffic, they can see every authentication you run through the system … everything. So I was looking to make sure tor guard wasn’t based in china or something like that. then I ran into this mess between them and or whatever.
    there was another service called anonymizer that I thought was acquired by a company where the executives were ex intelligence operatives. hmmm. I wondered about how this might effect the integrity of what goes through anonymizer.
    not that i have anything to hide, but I want my privacy.
    so … where am I? where are we? looks like you are far better trading off lots of vpn features for a trusted party based in a place like the united states.
    of course, a pc windows with tor would be the best choice but windows is such a hotbed for malware and apt’s that you are better off with a chromebook trying to figure out alternatives like I am
    so, I don’t feel so good about tor guard now
    Not sure about a company that hides their management team and investors – I cannot find these people listed anywhere

    wait, I’ll look on linked in now and report

    there is only one guy who claims he worked at torguard in florida from 2011 to 2014

    that’s it:

    Customer Service/Tier I Tech Support Guard LLC.
    September 2011 – April 2013 (1 year 8 months)Orlando, Florida

    -Provided support for Mac, Windows, iOS and Android VPN troubleshooting issues.

    -Responded to and resolved priority tickets for server and VPN related issues with a 7 minute average response time.

    -Assisted clients with set up and maintenance of accounts.

    -Proactively resolved customer issues through the creation of FAQs for the company website.

    -Resolved payment issues with Stripe and Bitcoin and ensured proper payment is processed and/or refunded.

    -Monitored online chat service with fast response time, average 2-5 minutes to resolve issues.

    -Maintained customer satisfaction with fast response times and average of 8 out of 10 in customer ratings.

    -Captured client feedback through client phone calls, emails and live chat to identify and report product problems and have them resolved.

    -Provided detailed monthly reports to supervisors on client satisfaction, server operations, and tech support.

    -Trained new team members on VPN support protocols, proper escalation, and
    reporting of issues.

    -Supervised tech support staff to ensure low wait times and client satisfaction while also assisting tech support staff with any escalations so they can be resolved in a timely manner.

  3. Hello Ray

    Did you even test these things before you posted this article? the SSLlabs claims are false, please test the proxies on torguard at ssllabs you will see that no RC4 ciphers are enabled and that SSLv3 or v2 are disabled, both are disabled….

    I see the Chrome app IS using encryption, did you not check that too ? you should really check these things yourself before posting. The company is just looking for some traffic (as they seem to need it) and by the looks of it trying to fabricate a story out of (using an geo IP API) which would take requests from the proxies servers themselves (not exposing anyone).

    Tony Andrews @ bihsec

    1. Hi Tony
      We did check and you’re correct that these issues aren’t existent anymore. However:
      1) TorGuard didn’t deny anything and updated their application so it would be no surprise that they also updated the other problems pointed out by
      2) was likely aware that this will happen and you can see the mirror images on their website of what they found
      3) We were able to test the old TorGuard Proxy, as are hosting a mirror of this as well, and as pointed out, passwords weren’t encrypted in it.
      4) We have contacted TorGuard, yet for such large and extensive accusations it’s surprising that we have not received a reply and they have been silent on Twitter as well. In such cases, we’d expect a company to say a bit more than “K THX”
      Thanks for your interest in the article,

    2. > the SSLlabs claims are false, please test the proxies on torguard at ssllabs you will see that no RC4 ciphers are enabled and that SSLv3 or v2 are disabled, both are disabled….

      The fact that it’s been updated doesn’t mean it wasn’t an issue. And by the way, in current state the Qualys test still looks pretty bad. Perhaps they need some more time to figure out how to properly implement Forward Secrecy and such.

      > I see the Chrome app IS using encryption, did you not check that too ? you should really check these things yourself before posting.

      How about you check the affected version which is mirrored?

      > The company is just looking for some traffic (as they seem to need it)

      The company has made a legitimate disclosure on an event of having their product copied. How on earth is that an attempt to look for traffic? logic much?

      > trying to fabricate a story

      The evidence is right there and everything was already verified by people from the infosec community. Again, you can check yourself if you know how to do so (personally having some doubts on this). Torguard confirmed removal of geo IP service: why would they do that if a story is “fabricated”?

      > which would take requests from the proxies servers themselves (not exposing anyone).

      Once again, you don’t seem to understand how stuff works. The geo IP service is accessed BEFORE and AFTER establishing a connection. So that’s both using the user real IP and the proxy IP. It does expose the user. The code is right there for you to check when and how the geo IP is accessed.

Leave a Reply

Your email address will not be published. Required fields are marked *