| Recurring |
one_organization |
(a) The software failure incident related to Surfshark VPN installing a risky Trusted Root Certificate Authority security certification has happened within the same organization. Surfshark VPN was dinged by AppEsteem researchers for unsound security design, including the installation of the security certificate even when a user cancels the app's overall installation. Surfshark has acknowledged the issues and is working on releasing updates to address the security and privacy concerns identified by AppEsteem [127279].
(b) The software failure incident related to Surfshark VPN's security and privacy concerns has not been explicitly mentioned to have occurred at other organizations in the provided article. Therefore, there is no information available about similar incidents happening at multiple organizations [127279]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to design can be seen in the case of Surfshark VPN, where researchers from AppEsteem identified unsound security design in the app. Specifically, Surfshark was criticized for installing a risky Trusted Root Certificate Authority security certification, which could potentially compromise a user's device security. The company acknowledged the issues and stated that they would release updates to address the design flaws [127279].
(b) The software failure incident related to operation can be observed in the behavior of the Surfshark app identified by AppEsteem researchers. They found that the app continued running processes in the background even after the VPN was disconnected and the app itself closed. Additionally, components of the app remained installed on a user's device even after uninstallation. These operational issues were highlighted as concerns by the researchers, indicating failures in the operation or behavior of the software [127279]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident with Surfshark VPN was primarily due to factors originating from within the system. The incident involved security and privacy concerns within the Surfshark app itself, such as the installation of a risky Trusted Root Certificate Authority security certification, running processes in the background even after VPN disconnection, leaving components on the device after uninstallation, and lacking sufficient information for customers regarding subscriptions and renewals [127279]. These issues were identified by researchers and acknowledged by Surfshark, leading to the company working on fixing the highlighted problems within their app. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the Surfshark VPN app was primarily due to non-human actions. Researchers from AppEsteem identified unsound security design in the app, such as the installation of a risky Trusted Root Certificate Authority security certification, which could compromise a user's device security. Additionally, the app continued running processes in the background even after the VPN was disconnected and components were left installed on the device after uninstallation, indicating issues introduced without direct human participation [127279].
(b) However, human actions also played a role in the failure incident. Surfshark acknowledged the issues highlighted by AppEsteem and stated that they have been working on fixing the problems. The company mentioned plans to remove the problematic IKEv2 encryption protocol option and focus on supporting more secure protocols like Wireguard and OpenVPN. Surfshark also mentioned cooperating with AppEsteem to address the highlighted security and privacy concerns, indicating human intervention in resolving the issues [127279]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware can be seen in the article as Surfshark VPN's app was found to obtain an alarming amount of influence over a user's device security by installing a risky piece of tech known as a Trusted Root Certificate Authority security certification. This certificate, if compromised, could undermine all of a device's data and communication security [127279].
(b) The software failure incident related to software can be observed in the article as researchers found several security and privacy concerns with the Surfshark app. These concerns included the app continuing to run processes in the background even after the VPN was disconnected and the app was closed, leaving components installed on a user's device after uninstallation, and lacking sufficient information for customers on canceling subscriptions or notification of subscription renewal. Surfshark worked on fixing these issues highlighted by AppEsteem [127279]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident in this case appears to be non-malicious. The issues highlighted by AppEsteem researchers regarding Surfshark VPN's app were related to unsound security design, such as the installation of a risky Trusted Root Certificate Authority security certification without user consent, running processes in the background even after the VPN was disconnected, leaving components installed after app uninstallation, and lack of transparency regarding subscription cancellation and renewal notifications. Surfshark responded by acknowledging the issues, fixing them, and planning to release updates to address the security and privacy concerns [127279]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident related to Surfshark VPN was primarily due to poor decisions made by the company. The incident involved unsound security design, such as installing a risky Trusted Root Certificate Authority security certification that could compromise a user's device security. Surfshark had also been criticized for leaving components installed on a user's device after the app was uninstalled and for lacking transparency in providing information to customers about canceling subscriptions and renewal notifications. The company acknowledged the issues and stated that they have fixed the highlighted problems in collaboration with AppEsteem [127279]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the case of Surfshark VPN. AppEsteem researchers identified several unsound security design issues in the Surfshark app, including the installation of a risky Trusted Root Certificate Authority security certification that could compromise a user's device security [127279]. This indicates a lack of professional competence in ensuring robust security measures within the app development process.
(b) The accidental software failure incident is highlighted by the fact that Surfshark's app continued running processes in the background even after the VPN was disconnected and the app itself closed. Additionally, components were left installed on a user's device after the app was uninstalled, indicating unintentional oversights in the app's behavior and cleanup processes [127279]. |
| Duration |
temporary |
The software failure incident reported in Article 127279 can be categorized as a temporary failure. The incident involved security and privacy concerns with the Surfshark VPN app, such as the installation of a risky Trusted Root Certificate Authority security certification and the app continuing to run processes in the background even after disconnection. Surfshark acknowledged these issues and stated that they have fixed all highlighted problems, with Windows users expected to receive an updated version of the app soon. This indicates that the failure was temporary and addressed through updates and fixes [127279]. |
| Behaviour |
crash, omission, value, other |
(a) crash: The Surfshark VPN app exhibited a crash behavior where it continued running processes in the background even after the VPN was disconnected and the app itself closed, as highlighted by AppEsteem researchers [127279].
(b) omission: The Surfshark VPN app had an omission behavior where it left components installed on a user's device even after the app was uninstalled, as noted by researchers [127279].
(c) timing: There is no specific mention of a timing-related failure in the provided article.
(d) value: The Surfshark VPN app had a value-related failure where it installed a risky Trusted Root Certificate Authority security certification, potentially compromising a user's device security, as reported by AppEsteem researchers [127279].
(e) byzantine: There is no specific mention of a byzantine-related failure in the provided article.
(f) other: The Surfshark VPN app also had an "other" behavior where it did not provide customers enough information on how to cancel annual subscriptions or how customers would be notified about subscription renewal, as pointed out by AppEsteem researchers [127279]. |