Mozilla published the results of a recent third-party security audit of its VPN services as part of it’s commitment to user privacy and security. The survey revealed security issues which were presented to Mozilla to be addressed with fixes to ensure user privacy and security.
Many search marketers use VPNs during the course of their business especially when using a Wi-Fi connection in order to protect sensitive data, so the trustworthiness of a VNP is essential.
A Virtual Private Network (VPN), is a service that hides (encrypts) a user’s Internet traffic so that no third party (like an ISP) can snoop and see what sites a user is visiting.
VPNs also add a layer of security from malicious activities such as session hijacking which can give an attacker full access to the websites a user is visiting.
There is a high expectation from users that the VPN will protect their privacy when they are browsing on the Internet.
Mozilla thus employs the services of a third party to conduct a security audit to make sure their VPN is thoroughly locked down.
Security Risks Discovered
The audit revealed vulnerabilities of medium or higher severity, ranging from Denial of Service (DoS). risks to keychain access leaks (related to encryption) and the lack of access controls.
Cure53, the third party security firm, discovered and addressed several risks. Among the issues were potential VPN leaks to the vulnerability of a rogue extension that disabled the VPN.
The scope of the audit encompassed the following products:
- Mozilla VPN Qt6 App for macOS
- Mozilla VPN Qt6 App for Linux
- Mozilla VPN Qt6 App for Windows
- Mozilla VPN Qt6 App for iOS
- Mozilla VPN Qt6 App for Androi
These are the risks identified by the security audit:
- FVP-03-003: DoS via serialized intent
- FVP-03-008: Keychain access level leaks WG private key to iCloud
- VP-03-010: VPN leak via captive portal detection
- FVP-03-011: Lack of local TCP server access controls
- FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)
The rogue extension issue was rated as high severity. Each risk was subsequently addressed by Mozilla.
Mozilla presented the results of the security audit as part of their commitment to transparency and to maintain the trust and security of their users. Conducting a third party security audit is a best practice for a VPN provider that helps assure that the VPN is trustworthy and reliable.
Read Mozilla’s announcement:
Mozilla VPN Security Audit 2023
Featured Image by Shutterstock/Meilun