Mozilla VPN has undergone an independent audit, the reports for which were released on 6th December, 2023. This is its second one, and the first Mozilla VPN audit was back in 2021. The audit was undertaken by Cure53, a German cybersecurity firm with more than 15 years of industry experience of assessing the best VPN services.
The audit’s scope included checking the Mozilla VPN apps for macOS, Linux, Windows, iOS, and Android. Two major vulnerabilities were found during the process; one was flagged as critical and the other as high risk. The good news is that both these vulnerabilities were duly fixed by the company. Let’s now go into the details of all of the vulnerabilities that were uncovered.
FVP-03-008: Keychain access level leaks WG private key to iCloud (critical risk)
The audit revealed an access level error within the WireGuard configuration stored in the iOS Keychain. This led to the storage of the configuration in the iCloud backup, which isn’t end-to-end encrypted. Simply put, it means that if you fail to activate Advanced Data Encryption, Apple will be able to read your Wireguard configuration.
However, after discussions with Mozilla, Cure53 concluded that this behavior occurs only under specific test situations.
FVP-03-011: Lack of local TCP server access controls (medium risk)
Mozilla VPN clients were exposing a local TCP interface on port 8754 (which is tied to a local host) during its communication with Firefox Multi-Account containers. Any operator on the local host can disable the VPN by issuing a request to the port.
This vulnerability, too, was solved and verified.
FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (high risk)
The Native Messaging API was used to communicate between Multi-Account containers (mentioned in FVP-03-011) and mozillavpnnp. The Auditors found that mozillavpnnp isn’t capable of restricting application callers, meaning a malicious actor could interact with the VPN and disable it.
This vulnerability was flagged as high-risk and was addressed by the VPN provider.
FVP-03-003: DoS via serialized intent (medium risk)
Testings revealed that the Mozilla Android VPN app was exposing user activities to third parties, which could be leveraged to crash the app altogether through a crafted intent. A background app can do this recurrently, making the Android app inoperational and causing a DoS.
However, this was only considered a medium-level threat as the WireGuard tunnel didn’t fail even after the app crash. This is because it’s managed by the Android OS. The issue was fixed by Mozilla, which was duly verified by Cure53.
FVP-03-009: Lack of access controls on daemon socket (medium risk)
Cure53 found in its test that the daemon socket on macOS didn’t have access control enforcement, which is important to verify that the user sending commands to the daemon socket is authorized to do so.
Without this, any unauthorized user can read and clear daemon logs, leak public keys, and terminate the daemon and VPN connection. This vulnerability has been attended to by the VPN provider, and the fix has been verified by Cure53.
FVP-03-010: VPN leak via captive portal detection (medium risk)
The audit found that the captive portal notification feature could send unencrypted HTTP requests outside of the VPN tunnel, which could lead to IP leakage. Cure53 advised turning off the feature specifically to prevent such leaks.
However, the risks associated with this vulnerability are relatively low since the exploitation methods are complex. Like other threats, this, too, has been neutralized by Mozilla.
Bottom line
As you can see, Mozilla VPN wasn’t able to score a clean report from Cure53. However, the audit helped the provider improve parts of its VPN services, which could have compromised user safety in the future.
For the same reason, we recommend only those VPN services that undergo regular audits, even if the reports are not always perfect – it goes to show the provider’s commitment to making its VPN safe and reliable for the public at large. Plus, as it's in the case of Mozilla VPN, any vulnerabilities found during these audits can be fixed before it’s too late.
