{"id":2802,"date":"2021-08-31T06:58:43","date_gmt":"2021-08-31T13:58:43","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2802"},"modified":"2021-08-31T20:55:21","modified_gmt":"2021-09-01T03:55:21","slug":"mozilla-vpn-security-audit","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/","title":{"rendered":"Mozilla VPN Security Audit"},"content":{"rendered":"<p>To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of <a href=\"https:\/\/www.mozilla.org\/en-US\/products\/vpn\/\">Mozilla VPN<\/a> that<a href=\"http:\/\/cure53.de\/\"> Cure53<\/a> conducted earlier this year.<\/p>\n<p>The scope of this security audit included the following products:<\/p>\n<ul>\n<li aria-level=\"1\">Mozilla VPN Qt5 App for macOS<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt5 App for Linux<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt5 App for Windows<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt5 App for iOS<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt5 App for Android<\/li>\n<\/ul>\n<p>Here\u2019s a summary of the items discovered within this security audit that were medium or higher severity:<\/p>\n<ul>\n<li aria-level=\"1\"><b>FVP-02-014: Cross-site WebSocket hijacking (High)<\/b>\n<ul>\n<li aria-level=\"1\">Mozilla VPN client, when put in debug mode, exposes a WebSocket interface to localhost to trigger events and retrieve logs (most of the functional tests are written on top of this interface). As the WebSocket interface was used only in pre-release test builds, no customers were affected.\u00a0 Cure53 has verified that this item has been properly fixed and the security risk no longer exists.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-02-001: VPN leak via captive portal detection (Medium)<\/b>\n<ul>\n<li aria-level=\"1\">Mozilla VPN client allows sending unencrypted HTTP requests outside of the tunnel to specific IP addresses, if the captive portal detection mechanism has been activated through settings.\u00a0 However, the captive portal detection algorithm requires a plain-text HTTP trusted endpoint to operate. Firefox, Chrome, the network manager of MacOS and many applications have a similar solution enabled by default. Mozilla VPN utilizes the Firefox endpoint.\u00a0 Ultimately, we have accepted this finding as the user benefits of captive portal detection outweigh the security risk.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\"><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-02-016: Auth code could be leaked by injecting port (Medium)<\/b>\n<ul>\n<li aria-level=\"1\">When a user wants to log into Mozilla VPN, the VPN client will make a request to https:\/\/vpn.mozilla.org\/api\/v2\/vpn\/login\/windows to obtain an authorization URL. The endpoint takes a port parameter that will be reflected in a &lt;img&gt; element after the user signs into the web page. It was found that the port parameter could be of an arbitrary value. Further, it was possible to inject the @ sign, so that the request will go to an arbitrary host instead of localhost (the site&#8217;s strict Content Security Policy prevented such requests from being sent). We fixed this issue by improving the port number parsing in the REST API component. <a href=\"https:\/\/github.com\/mozilla-mobile\/mozilla-vpn-client\/issues\/812\">The fix<\/a> includes several tests to prevent similar errors in the future.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If you\u2019d like to read the detailed report from Cure53, including all low and informational items, you can find it <a href=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/FVP-02-report.final_.pdf\">here<\/a>.<\/p>\n<p>More information on the issues identified in this report can be found in our <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2021-31\/\">MFSA2021-31 Security Advisory<\/a> published on July 14th, 2021.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/\">Read more<\/a><\/p>\n","protected":false},"author":1364,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[45512,136095],"coauthors":[311588],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla VPN Security Audit - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan Claudius\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/\",\"name\":\"Mozilla VPN Security Audit - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2021-08-31T13:58:43+00:00\",\"dateModified\":\"2021-09-01T03:55:21+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0698d29abbb07ba8df73f37f511a2f4c\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla VPN Security Audit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0698d29abbb07ba8df73f37f511a2f4c\",\"name\":\"Jonathan Claudius\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/b0dfa545bb42137f9b672b154cb72fb3\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d9554dd0cb7bf455ce8b4100b3210178?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d9554dd0cb7bf455ce8b4100b3210178?s=96&d=identicon&r=g\",\"caption\":\"Jonathan Claudius\"},\"description\":\"Security &amp; Privacy Force Multiplier @Mozilla, Bug Hunter\/Wrangler, FOSS Advocate, and Problem Solver. Simply walked to Mordor.\",\"sameAs\":[\"https:\/\/x.com\/claudijd\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla VPN Security Audit - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/","twitter_misc":{"Written by":"Jonathan Claudius","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/","name":"Mozilla VPN Security Audit - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2021-08-31T13:58:43+00:00","dateModified":"2021-09-01T03:55:21+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0698d29abbb07ba8df73f37f511a2f4c"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/31\/mozilla-vpn-security-audit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mozilla VPN Security Audit"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0698d29abbb07ba8df73f37f511a2f4c","name":"Jonathan Claudius","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/b0dfa545bb42137f9b672b154cb72fb3","url":"https:\/\/secure.gravatar.com\/avatar\/d9554dd0cb7bf455ce8b4100b3210178?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d9554dd0cb7bf455ce8b4100b3210178?s=96&d=identicon&r=g","caption":"Jonathan Claudius"},"description":"Security &amp; Privacy Force Multiplier @Mozilla, Bug Hunter\/Wrangler, FOSS Advocate, and Problem Solver. Simply walked to Mordor.","sameAs":["https:\/\/x.com\/claudijd"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2802"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1364"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2802"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2802\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2802"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}