Cure53 Discovers Mozilla VPN Security Risks

Mozilla has just published the results of a recent third-party security audit of its VPN products.

The report suggests that there are some security risks and offers fixes to ensure better user privacy and security.

Mozilla VPN security risks found

As a part of its commitment to continuously improve its services, Mozilla has made the results of a recent third-party audit public.

Cure53, a German cybersecurity company, examined Mozilla’s VPN products earlier this year.

It discovered some risks which include Denial of Service (DoS), keychain access leaks, and lack of access controls.

The scope of the audit included:

• Mozilla VPN app for Windows
• Mozilla VPN app for macOS
• Mozilla VPN app for Linux
• Mozilla VPN app for Android
• Mozilla VPN app for iOS

The overall result of the audit was that Mozilla VPN does a lot of things right when it comes to both security and privacy, but that there are some issues that need to be addressed.

Cure53 went on to label the risks as medium, high, and critical and offered steps for dealing with them. The security vendor recommended allocating more resources toward ensuring privacy.

Later in this post, we’ll examine each risk the auditor found.

Conducting research through a third party is one of the best practices to ensure the VPN app is trustworthy and reliable.

Earlier this year, NordVPN passed an audit also conducted by Cure53. 

One of the biggest professional services networks, Deloitte, verified Surfshark’s no-logs statement in 2023 as well.

Critical and high risks

First, we’ll take a look at the risks the auditor labeled as high and critical.

Using the Frida framework together with the Objection toolkit, Cure53 discovered that on iOS, Mozilla VPN’s WireGuard configuration allows device backups to be stored within the iCloud.

While iCloud backups are encrypted, they’re not end-to-end encrypted by default. Unless the user changes this in advanced options, Apple will be able to read the WireGuard private key.

Another big risk is tied to malicious add-ons. 

Cure53 discovered that the Native Messaging API is used to communicate with the mozillavpnp app. The problem is that the app doesn’t restrict the application caller sufficiently enough, allowing anyone to communicate with the VPN and disable it through a malicious add-on.

To fix this issue, Cure53 suggests including a caller origin validation in the native app.

Medium risks

The first problem Cure53 encountered was the ability to lock a user’s account by repeatedly entering incorrect passwords. If an attacker forces the account into a permanently locked state this way, the affected user will also no longer be able to access it.

Testing also showed that third-party Android apps can crash the Mozilla VPN app at any point. However, due to the WireGuard tunnel being managed by the Android OS, the app crashing doesn’t cause the tunnel to fail. Thus, Cure53 labeled this as a medium threat.

Another issue is that the daemon socket on macOS doesn’t have sufficient access control enforcement. This allows other users on the same device to access and clear daemon logs, leak the public keys of the connecting client, and terminate the VPN connection.

A similar problem exists due to the VPN client exposing a local TCP interface running on port 8754. Another user on the same localhost can send requests to the port and terminate the VPN connection. 

In addition, Mozilla VPN’s captive portal notification feature sends unencrypted HTTP requests outside of the active tunnel. This creates the risk of deanonymization, which opposes the entire purpose of using a VPN.

Summary

While Mozilla’s VPN demonstrates strengths in security and privacy, the Cure53 audit has identified critical areas for improvement.

Addressing these issues will be crucial for Mozilla to ensure the highest level of privacy and security for its VPN users.