Mozilla published the results of a recent third-party security audit of its VPN services as part of it’s commitment to user privacy and security. The survey revealed security issues which were presented to Mozilla to be addressed with fixes to ensure user privacy and security.
Many search marketers use VPNs during the course of their business especially when using a Wi-Fi connection in order to protect sensitive data, so the trustworthiness of a VNP is essential.
A Virtual Private Network (VPN), is a service that hides (encrypts) a user’s Internet traffic so that no third party (like an ISP) can snoop and see what sites a user is visiting.
VPNs also add a layer of security from malicious activities such as session hijacking which can give an attacker full access to the websites a user is visiting.
There is a high expectation from users that the VPN will protect their privacy when they are browsing on the Internet.
Mozilla thus employs the services of a third party to conduct a security audit to make sure their VPN is thoroughly locked down.
Mozilla VPN Has Strong Security
The security vendor noted in their report that there was a lot that the Mozilla VPN did right, such as the safeguard measures taken for the Linux and MacOS versions, with a special mention of the key management implementation.
Similar observations were made about the Windows implementation, including checking for issues specific to Windows 10 related to DNS leaks but the security vendor, Cure53, found it to be locked down tight.
The security vendor noted:
“In spite of the audit team’s exhaustive approaches, no associated shortcomings were discovered in this regard. The Windows VPN application takes advantage of the system’s credential storage to store authentication data securely.”
Nevertheless, the security vendor noted that there were more security issues discovered with this audit and recommended more resources be devoted for privacy assurance.
“Cure53 would like to draw attention to the increased yield of findings encountered for this examination.
It is recommended that the developer team invest further time and resources into materializing an analysis of all potential attack vectors, particularly when exposing functionality from the VPN client externally.”
Security Risks Discovered
The audit revealed vulnerabilities of medium or higher severity, ranging from Denial of Service (DoS). risks to keychain access leaks (related to encryption) and the lack of access controls.
Cure53, the third party security firm, discovered and addressed several risks. Among the issues were potential VPN leaks to the vulnerability of a rogue extension that disabled the VPN.
The scope of the audit encompassed the following products:
- Mozilla VPN Qt6 App for macOS
- Mozilla VPN Qt6 App for Linux
- Mozilla VPN Qt6 App for Windows
- Mozilla VPN Qt6 App for iOS
- Mozilla VPN Qt6 App for Androi
These are the risks identified by the security audit:
- FVP-03-003: DoS via serialized intent
- FVP-03-008: Keychain access level leaks WG private key to iCloud
- VP-03-010: VPN leak via captive portal detection
- FVP-03-011: Lack of local TCP server access controls
- FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)
The rogue extension issue was rated as high severity. Each risk was subsequently addressed by Mozilla.
Security Audit And Transparency = High Quality Secure VPN
Mozilla presented the results of the security audit as part of their commitment to transparency and to maintain the trust and security of their users. Conducting a third party security audit is a best practice for a VPN provider that helps assure that the VPN is trustworthy and reliable.
The results of the audit highlight that the Mozilla VPN is a highly secure product. Mozilla’s transparency make enhances the credibility of the VPN as a secure and trustworthy choice.
Read Mozilla’s announcement:
Mozilla VPN Security Audit 2023
Featured Image by Shutterstock/Meilun