Mozilla VPN undergoes second security audit

Mozilla VPN
(Image credit: Future)

Mozilla VPN has undergone an independent audit, the reports for which were released on 6th December, 2023. This is its second one, and the first Mozilla VPN audit was back in 2021. The audit was undertaken by Cure53, a German cybersecurity firm with more than 15 years of industry experience of assessing the best VPN services.

The audit’s scope included checking the Mozilla VPN apps for macOS, Linux, Windows, iOS, and Android. Two major vulnerabilities were found during the process; one was flagged as critical and the other as high risk. The good news is that both these vulnerabilities were duly fixed by the company. Let’s now go into the details of all of the vulnerabilities that were uncovered.

FVP-03-008: Keychain access level leaks WG private key to iCloud (critical risk) 

The audit revealed an access level error within the WireGuard configuration stored in the iOS Keychain. This led to the storage of the configuration in the iCloud backup, which isn’t end-to-end encrypted. Simply put, it means that if you fail to activate Advanced Data Encryption, Apple will be able to read your Wireguard configuration. 

However, after discussions with Mozilla, Cure53 concluded that this behavior occurs only under specific test situations.

FVP-03-011: Lack of local TCP server access controls (medium risk) 

Mozilla VPN clients were exposing a local TCP interface on port 8754 (which is tied to a local host) during its communication with Firefox Multi-Account containers. Any operator on the local host can disable the VPN by issuing a request to the port. 

This vulnerability, too, was solved and verified.

FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (high risk) 

The Native Messaging API was used to communicate between Multi-Account containers (mentioned in FVP-03-011) and mozillavpnnp. The Auditors found that mozillavpnnp isn’t capable of restricting application callers, meaning a malicious actor could interact with the VPN and disable it. 

This vulnerability was flagged as high-risk and was addressed by the VPN provider.

FVP-03-003: DoS via serialized intent (medium risk) 

Testings revealed that the Mozilla Android VPN app was exposing user activities to third parties, which could be leveraged to crash the app altogether through a crafted intent. A background app can do this recurrently, making the Android app inoperational and causing a DoS.

However, this was only considered a medium-level threat as the WireGuard tunnel didn’t fail even after the app crash. This is because it’s managed by the Android OS. The issue was fixed by Mozilla, which was duly verified by Cure53.

FVP-03-009: Lack of access controls on daemon socket (medium risk) 

Cure53 found in its test that the daemon socket on macOS didn’t have access control enforcement, which is important to verify that the user sending commands to the daemon socket is authorized to do so. 

Without this, any unauthorized user can read and clear daemon logs, leak public keys, and terminate the daemon and VPN connection. This vulnerability has been attended to by the VPN provider, and the fix has been verified by Cure53.

FVP-03-010: VPN leak via captive portal detection (medium risk) 

The audit found that the captive portal notification feature could send unencrypted HTTP requests outside of the VPN tunnel, which could lead to IP leakage. Cure53 advised turning off the feature specifically to prevent such leaks. 

However, the risks associated with this vulnerability are relatively low since the exploitation methods are complex. Like other threats, this, too, has been neutralized by Mozilla.

Bottom line

As you can see, Mozilla VPN wasn’t able to score a clean report from Cure53. However, the audit helped the provider improve parts of its VPN services, which could have compromised user safety in the future. 

For the same reason, we recommend only those VPN services that undergo regular audits, even if the reports are not always perfect – it goes to show the provider’s commitment to making its VPN safe and reliable for the public at large. Plus, as it's in the case of Mozilla VPN, any vulnerabilities found during these audits can be fixed before it’s too late.

TOPICS
Krishi Chowdhary
Contributor

Krishi is a VPN writer covering buying guides, how-to's, and other cybersecurity content here at Tom's Guide. His expertise lies in reviewing products and software, from VPNs, online browsers, and antivirus solutions to smartphones and laptops. As a tech fanatic, Krishi also loves writing about the latest happenings in the world of cybersecurity, AI, and software.

Read more
Cartoon image of three people using smartphones and laptops
NordVPN reinforces its security credentials with independent audit
Mullvad on a laptop
Is Mullvad still worth buying?
VPN audit
What is a VPN audit?
Obscura VPN website landing page
Obscura VPN wants to be the "best darn VPN out there" – can it?
Mullvad vpn review
Mullvad VPN review
ExpressVPN Lightway in Rust logo
ExpressVPN remakes its Lightway protocol in Rust – what you need to know
Latest in VPNs
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
Obscura VPN website landing page
Obscura VPN wants to be the "best darn VPN out there" – can it?
Large group of protesters in Turkey following Instanbul mayor's arrest
Turkey sees huge VPN usage spike amid reports of social media crackdown
NordVPN logo on a blue background
NordVPN drops to its lowest price this year – here's what you need to know
ExpressVPN logo above mobile devices
ExpressVPN lays off undisclosed number of employees
The outline of a hand holding a phone, wrapped in barbed wire to indicate censorship
What are anti-censorship features and how is Proton VPN leading the way?
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means