Berlin-based cybersecurity company Cure53 discovered some security flaws in Mozilla VPN apps during its latest security audit.
After reviewing all Mozilla clients, a total of seven security issues were discovered, two of which were considered critical or high priority. The VPN service now ensures that all potential risks have already been addressed.
Independent audits have increasingly become a regular practice among VPN companies that value transparency and security. This is the third time that Mozilla has entrusted Cure53 with such a task and it comes as the provider has launched new features, including a new malware blocking system.
Mozilla's mixed results
A team of five senior testers at Cure53 conducted a series of penetration tests and software inspections over a total period of 21 working days in May 2023. A white-box approach was used to test the security infrastructure and code soundness for all Mozilla applications, namely MacOS, Linux, Windows, iOS and Android VPN apps.
Seven security flaws, two of high priority and five of medium priority, “contributed to the decidedly mixed overall impression given about the resilience of the Mozilla VPN client applications,” the report said.
If the code structure was deemed “well constructed” and free of memory corruption errors, experts found that some of the VPN features were potentially exposing users' data.
The most critical vulnerability affected the Mozilla VPN iOS app. Testing has shown that WireGuard configuration stored in the iOS Keychain is leaked to iCloud via device backups if users do not explicitly opt for Advanced Data Encryption. Mozilla claimed that Cure53 confirmed that this risk has been addressed by adding an additional layer of encryption.
Another high priority error was found on the desktop as the mozillavpnp application did not restrict the application caller enough, potentially allowing a malicious add-on to communicate with the VPN and possibly even disable the VPN connection without the user knowing. Once again, Mozilla assured to have addressed this risk as recommended by Cure53.
As mentioned, Mozilla has reportedly fixed all other medium and low-level vulnerabilities as recommended by Cure53. Similarly, the last security audit in 2021 found major issues in Mozilla VPN, all of which were resolved during the audit period.
On a more positive note, Cure53 also praised some of Mozilla's features, such as split tunneling and multi-hop connections, which relied on established technology such as Mullvad libraries and drivers. “The fact that these are integrated from the outset minimizes the chance of weaknesses emerging, with no significant concerns to raise during the assigned review schedule,” experts wrote.
Mozilla said it has decided to re-engage the external accounting firm before releasing some new features. These include malware blocking software launched in August, as well as performance improvements such as server location recommendations that were integrated into the apps in June.
The provider has also expanded its server network to 16 more European countries, including Denmark, Hungary, Portugal and more.