Mozilla VPN was audited by an independent body and the report was published on December 6, 2023. This is the second audit; the first audit of Mozilla VPN took place in 2021. The audit was conducted by Cure53, a German cybersecurity firm with over 15 years of experience in the industry evaluating the best VPN services.

The scope of the audit included checking Mozilla VPN apps for macOS, Linux, Windows, iOS, and Android. In the process, two major vulnerabilities were discovered, one was determined to be critical and the other high risk. The good news is that both of these vulnerabilities were fixed by the company. Let's take a closer look at all the vulnerabilities found.

The audit revealed an access level error in the WireGuard settings stored in the iOS keychain. This meant that the settings were stored in an iCloud backup, but this backup was not encrypted end-to-end. Simply put, without Advanced Data Encryption enabled, Apple can read the WireGuard settings.

However, after discussions with Mozilla, Cure53 concluded that this behavior only occurred under certain test circumstances.

The Mozilla VPN client was exposing a local TCP interface on port 8754 (connected to the local host) while communicating with the Firefox Multi-Account container. Any operator on the local host could disable the VPN by issuing a request on this port.

This vulnerability has also been resolved and verified.

The Native Messaging API was used for communication between the Multi-Account container (referenced in FVP-03-011) and mozillavpnnp. The auditor found that mozillavpnnp did not have the ability to restrict application callers, meaning that a malicious actor could interact with the VPN and disable it.

This vulnerability was considered high risk and was addressed by the VPN provider.

Testing revealed that the Mozilla Android VPN app exposed user activity to third parties, which could be exploited by a crafted intent to crash the app completely. Background apps could run this repeatedly, rendering the Android app inoperable and potentially causing a DoS.

However, this was only considered a moderate threat because the WireGuard tunnel did not fail even after the app crashed. This is because it is managed by the Android OS. This issue was fixed by Mozilla and formally verified by Cure53.

Cure53 found in testing that the daemon socket on macOS did not enforce access control.

Without it, any unauthorized user could read or erase the daemon logs, compromise the public key, or terminate the VPN connection with the daemon. This vulnerability has been fixed by the VPN provider and verified by Cure53.

An audit revealed that the captive portal notification feature allows unencrypted HTTP requests to be sent outside of the VPN tunnel, potentially leading to an IP leak; Cure53 specifically turned off this feature to prevent such a leak. recommended that.

However, the risk associated with this vulnerability is relatively low due to the complexity of the exploitation method. Like other threats, it has been disabled by Mozilla.

As you can see, Mozilla VPN was unable to obtain a clean report from Cure53. However, the audit did allow the provider to improve some of its VPN services.

For the same reason, we only recommend VPN services that undergo regular audits, even if the reports are not always perfect. Furthermore, vulnerabilities found in these audits can be fixed before it is too late, as in the case of Mozilla VPN.