Audit finds major security flaw in Mozilla VPN
A recent security audit found a major issue with Mozilla VPN that could have been an endpoint breach risk.
The audit of Mozilla VPN was carried out by a respected German cybersecurity firm Cure53 (the same company that did security audits for Surfshark, Mullvad VPN, and several other VPN providers). In total, the audit identified 16 vulnerabilities in Mozilla’s VPN configuration, most of which were low to medium risk.
However, the analysis also found a major flaw with the application’s WebSocket Controller. According to the experts at Cure53, the flaw could expose a WebSocket endpoint on localhost, thus allowing any website to potentially connect and interact with the VPN client, hijacking the secure connection.
To demonstrate one of the many possible malicious exploits of the vulnerability, Cure53 experts created a piece of code, that would connect to the insecure WebSocket port and request a screenshot that would contain information about the connection. The screenshot could then be potentially leaked to the attacker to engineer further infiltration of the user’s system.
The identified security risk has been fixed as of August 2021 by Cure53.
On top of this major issue, the audit did find several other flaws in Mozilla VPN’s build, that could have potentially been used to carry out man-in-the-middle attacks and gain information about the user and his VPN connection. Most of the identified flaws in the system have been addressed and fixed.
According to the audit, and Mozilla representatives themselves, no users were affected by the potential vulnerabilities in the VPN’s system.
Mozilla VPN was launched nearly 20 years ago by the company behind the Firefox browser. The service is currently available in the US, Canada, the UK, Spain, France, Germany, Austria, Belgium, Switzerland, Malaysia, New Zealand, and Singapore.