Mozilla Security Blog
Categories: Announcements Privacy Security Security Updates

Mozilla VPN Security Audit 2023

Adrienne Davenport

To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this year.

The scope of this security audit included the following products:

  • Mozilla VPN Qt6 App for macOS
  • Mozilla VPN Qt6 App for Linux
  • Mozilla VPN Qt6 App for Windows
  • Mozilla VPN Qt6 App for iOS
  • Mozilla VPN Qt6 App for Android

Here’s a summary of the items discovered within this security audit that the auditors rated as medium or higher severity:

  • FVP-03-003: DoS via serialized intent 
      • Data received via intents within the affected activity should be validated to prevent the Android app from exposing certain activities to third-party apps.
      • There was a risk that a malicious application could leverage this weakness to crash the app at any time.
      • This risk was addressed by Mozilla and confirmed by Cure53.
  • FVP-03-008: Keychain access level leaks WG private key to iCloud 
      • Cure53 confirmed that this risk has been addressed due to an extra layer of encryption, which protects the Keychain specifically with a key from the device’s secure enclave.
  • FVP-03-009: Lack of access controls on daemon socket
      • Access controls to guarantee that the user sending commands to the daemon was permitted to initiate the intended action needs to be implemented.
      • This risk has been addressed by Mozilla and confirmed by Cure53.
  • FVP-03-010: VPN leak via captive portal detection 
      • Cure53 advised that the captive portal detection feature be turned off by default to prevent an opportunity for IP leakage when using maliciously set up WiFi hotspots.
      • Mozilla addressed the risk by no longer pinging for a captive portal outside of the VPN tunnel.
  • FVP-03-011: Lack of local TCP server access controls
      • The VPN client exposes a local TCP interface running on port 8754, which is bound to localhost. Users on localhost can issue a request to the port and disable the VPN.
      • Mozilla addressed this risk as recommended by Cure53.
  • FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)
      • mozillavpnnp does not sufficiently restrict the application caller.
      • Mozilla addressed this risk as recommended by Cure53.

If you’d like to read the detailed report from Cure53, including all low and informational items, you can find it here.