Mozilla released the audit results of its VPN client

Few days ago Mozilla released the publication of the announcement of the completion of the independent audit made to client software that is used to connect to Mozilla's VPN service.

The audit analyzed a separate client application written with the Qt library and delivered for Linux, macOS, Windows, Android, and iOS. Mozilla VPN works with more than 400 servers from the Swedish VPN provider Mullvad in more than 30 countries. The connection to the VPN service is made using the WireGuard protocol.

The audit was performed by Cure53, which at one point audited the NTPsec, SecureDrop, Cryptocat, F-Droid, and Dovecot projects. The auditory involved source code verification and included testing to identify potential vulnerabilities (Crypto-related issues were not considered.) During the audit, 16 security problems were identified, 8 of which were recommendation type, 5 were assigned a low hazard level, two - medium and one - high.

Today, Mozilla released an independent security audit of its Mozilla VPN, which provides device-level encryption and protection of your connection and information when on the web, from Cure53, a Berlin-based impartial cybersecurity company with over 15 years of operation. software testing and code auditing. Mozilla periodically works with third-party organizations to supplement our internal security programs and help improve the overall security of our products. During the independent audit, two issues of medium severity and one high severity were discovered. We have addressed them in this blog post and published the security audit report.

However, it is mentioned that just a problem with a medium severity level was classified as a vulnerability, sincee was the only one that was exploitable and the report describes that this issue was leaking VPN usage information in code to define the captive portal by sending unencrypted direct HTTP requests outside the VPN tunnel exposing the user's primary IP address if an attacker can control transit traffic. Also, the report mentions that the issue is resolved by disabling the Captive Portal Detection Mode in the settings.

Since our launch last year, Mozilla VPN, our fast and easy-to-use virtual private network service, has expanded to seven countries, including Austria, Belgium, France, Germany, Italy, Spain, and Switzerland, for a total of 13 countries. where Mozilla VPN is available. We also expanded our VPN service offerings and it is now available on Windows, Mac, Linux, Android, and iOS platforms. Lastly, our list of languages ​​that we support continues to grow, and to date, we support 28 languages.

Moreover the second problem that was found is in the medium severity level and is related to the lack of proper cleaning of non-numeric values ​​in the port number, which allows filtering OAuth authentication parameters by replacing the port number with a string like "1234@example.com", which will lead to the setting of HTML tags to make the request by accessing the domain, for example example.com instead of 127.0.0.1.

The third problem, marked as dangerous mentioned in the report, it is described that This allows any unauthenticated local application to access the VPN client through a WebSocket bound to localhost. As an example, it is shown how, with an active VPN client, any site could organize the creation and delivery of a screenshot by generating the screen_capture event.

The issue was not classified as a vulnerability as WebSocket was used only in internal test builds and the use of this communication channel was only planned in the future to organize interaction with the browser plugin.

Finally if you are interested in knowing more about it About the report released by Mozilla, you can consult the details in the following link.