{"id":2862,"date":"2023-12-06T09:00:37","date_gmt":"2023-12-06T17:00:37","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2862"},"modified":"2023-12-06T15:04:34","modified_gmt":"2023-12-06T23:04:34","slug":"mozilla-vpn-security-audit-2023","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/","title":{"rendered":"Mozilla VPN Security Audit 2023"},"content":{"rendered":"<p>To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of <a href=\"https:\/\/www.mozilla.org\/en-US\/products\/vpn\/\">Mozilla VPN<\/a> that<a href=\"http:\/\/cure53.de\/\"> Cure53<\/a> conducted earlier this year.<\/p>\n<p>The scope of this security audit included the following products:<\/p>\n<ul>\n<li aria-level=\"1\">Mozilla VPN Qt6 App for macOS<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt6 App for Linux<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt6 App for Windows<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt6 App for iOS<\/li>\n<li aria-level=\"1\">Mozilla VPN Qt6 App for Android<\/li>\n<\/ul>\n<p>Here\u2019s a summary of the items discovered within this security audit that the auditors rated as medium or higher severity:<\/p>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-003: DoS via serialized intent\u00a0<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"2\">Data received via <i>intents<\/i> within the affected activity should be validated to prevent the Android app from exposing certain activities to third-party apps.<\/li>\n<li aria-level=\"2\">There was a risk that a malicious application could leverage this weakness to crash the app at any time.<\/li>\n<li aria-level=\"2\">This risk was addressed by Mozilla and confirmed by Cure53.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-008: Keychain access level leaks WG private key to iCloud\u00a0<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"2\">Cure53 confirmed that this risk has been addressed due to an extra layer of encryption, which protects the Keychain specifically with a key from the device&#8217;s secure enclave.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-009: Lack of access controls on daemon socket<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"2\">Access controls to guarantee that the user sending commands to the daemon was permitted to initiate the intended action needs to be implemented.<\/li>\n<li aria-level=\"2\">This risk has been addressed by Mozilla and confirmed by Cure53.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-010: VPN leak via captive portal detection\u00a0<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"2\">Cure53 advised that the captive portal detection feature be turned off by default to prevent an opportunity for IP leakage when using maliciously set up WiFi hotspots.<\/li>\n<li aria-level=\"2\">Mozilla addressed the risk by no longer pinging for a captive portal outside of the VPN tunnel.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-011: Lack of local TCP server access controls<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li aria-level=\"2\">The VPN client exposes a local TCP interface running on port 8754, which is bound to localhost. Users on localhost can issue a request to the port and disable the VPN.<\/li>\n<li aria-level=\"2\">Mozilla addressed this risk as recommended by Cure53.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)<\/b><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>mozillavpnnp does not sufficiently restrict the application caller.<\/li>\n<li>Mozilla addressed this risk as recommended by Cure53.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If you\u2019d like to read the detailed report from Cure53, including all low and informational items, you can find it <a href=\"https:\/\/blog.mozilla.org\/security\/files\/2023\/12\/Cure53-Final-Audit-Report.pdf\">here<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/\">Read more<\/a><\/p>\n","protected":false},"author":1284,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,847,69,77],"tags":[136095],"coauthors":[466108],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla VPN Security Audit 2023 - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this year.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adrienne Davenport\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/\",\"name\":\"Mozilla VPN Security Audit 2023 - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2023-12-06T17:00:37+00:00\",\"dateModified\":\"2023-12-06T23:04:34+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/1273d6258d809d28486b1070fbe70988\"},\"description\":\"To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this year.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla VPN Security Audit 2023\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/1273d6258d809d28486b1070fbe70988\",\"name\":\"Jenifer Boscacci\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5e318f73db045f3a239a8e582ac5e3c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/308c5d508977f9fdb88b904b45767934?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/308c5d508977f9fdb88b904b45767934?s=96&d=identicon&r=g\",\"caption\":\"Jenifer Boscacci\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla VPN Security Audit 2023 - Mozilla Security Blog","description":"To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this year.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/","twitter_misc":{"Written by":"Adrienne Davenport","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/","url":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/","name":"Mozilla VPN Security Audit 2023 - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2023-12-06T17:00:37+00:00","dateModified":"2023-12-06T23:04:34+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/1273d6258d809d28486b1070fbe70988"},"description":"To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we are releasing a security audit of Mozilla VPN that Cure53 conducted earlier this year.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2023\/12\/06\/mozilla-vpn-security-audit-2023\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mozilla VPN Security Audit 2023"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/1273d6258d809d28486b1070fbe70988","name":"Jenifer Boscacci","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5e318f73db045f3a239a8e582ac5e3c4","url":"https:\/\/secure.gravatar.com\/avatar\/308c5d508977f9fdb88b904b45767934?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/308c5d508977f9fdb88b904b45767934?s=96&d=identicon&r=g","caption":"Jenifer Boscacci"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2862"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1284"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2862"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2862\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2862"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}