Mozilla offers transparency by publishing VPN audit

Nonprofit reveals more favorable results than those uncovered by similar review last year

Mozilla has published the results of an independently conducted audit of its virtual private network (VPN) technology.

The initiative – part of the Firefox vendor’s efforts to offer greater transparency in its plans to improve user security and privacy – was conducted by German security outfit Cure53.

The audit involved a combination of source code reviews and a penetration test, taking a ‘white box’ approach to security auditing. A team of seven from Cure53 carried out the audit over a combined period of 25 days.

The review is the second on Mozilla’s technology by Cure53. The first audit happened in August 2020 and yielded several issues, including a critical-severity bug. “A lot of development work has been done since then,” Cure53 concluded.

What’s in the box?

This year’s exercise led to the discovery of a rare example of a cross-site web socket hijacking vulnerability.

The high severity flaw meant that Mozilla VPN client, when put in debug mode, “exposes a WebSocket interface to localhost to trigger events and retrieve logs”. Since the WebSocket interface only features in pre-release test builds of the software, customers were not impacted by the issue.

Cure53’s painstaking audit of Mozilla’s code on all supported platforms (macOS, Linux, Windows, iOS, and Android) also uncovered two medium severity flaws in mainstream builds of the software.

Check out the latest VPN security news

In cases where the captive portal detection mechanism has been activated, Mozilla’s VPN client allows the sending of unencrypted HTTP requests outside the encrypted tunnel to certain IP addresses.

Although strict disciplinarians would categorise this behaviour as a medium risk flaw, the same approach is used across industry by Firefox, Chrome, and the network manager of MacOS among other applications.

The captive portal detection algorithm requires a plain-text HTTP trusted endpoint to work, with captive portal detection offering benefits to users that arguably exceed the security risks.

Where it’s @

Another issue uncovered by the audit is more befitting of the description of a medium risk threat.

This flaw means that an authentication code could be leaked because of flaws in the authentication flow in Mozilla’s technology.

When a user wants to log into Mozilla VPN, the VPN client makes a request to a Mozilla site in order to obtain an authorization URL. The endpoint takes a port parameter that will be reflected in a <img> element after the user signs into the web page.

Security auditors at Cure53 found that the port parameter could be of an arbitrary value.

“Further, it was possible to inject the @ sign, so that the request will go to an arbitrary host instead of localhost (the site’s strict Content Security Policy prevented such requests from being sent),” according to Cure53.

Mozilla resolved the issue by improving the port number parsing in the REST API component of the software.

A summary on the main flaws identified during the audit can be found here. A copy of a more comprehensive report listing lower impact flaws uncovered during the review is here (PDF).

The Daily Swig invited both Mozilla and Cure53 to comment on the audit. No word back as yet but we’ll update this story as and when more information comes to hand.

YOU MIGHT ALSO LIKE Microsoft warns of critical Azure Cloud vulnerability impacting Cosmos DB accounts