Security is a very important concern for us, and we are constantly working to better protect our customers data. One approach we take to better protect our customers is to engage external security companies who audit parts of our software and infrastructure to help us locate potential issues.
We engaged Sakurity to do a black-box penetration test on Pusher Channels in April 2017. We then resolved all the issues they found by May 2017. Their summary can be found below.
We also frequently engage with independent security researchers who responsibly report security vulnerabilities to us. More info on our responsible disclosure program can be found on our security page.
Date: April 10, 2017
Conditions: 1 week of blackbox pentest
Prepared by: Sakurity Limited
During this blackbox audit we reviewed all Pusher libraries including Pusher.js. No exploitable issues were found. All attack vectors we outlined back in May 2015 are properly fixed (socket_id is strictly validated) and now there's no way to sign arbitrary strings abusing /pusher/auth endpoints.
All exposed backend services were also tested for common vulnerabilities, and nothing was found.
Core functionality such as subscribing to private-* channels or creating an event is properly secured.