Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Chiara Castro

Security audit finds flaws with Mozilla VPN

Mozilla VPN on a Smartphone.

The Berlin-based cybersecurity firm Cure53 found some security flaws with Mozilla VPN apps during its last security audit. 

After reviewing all Mozilla's clients, a total of seven security vulnerabilities were discovered with two of these deemed as critical or high priority. The VPN service now ensures to have already addressed all the potential risks. 

Independent audits have increasingly become a regular practice among VPN companies which value transparency and security. This is the third time Mozilla has trusted Cure53 with such a task and it comes as the provider launched new features, including a new malware blocking system.

Mozilla's mixed results 

A team of five senior testers at Cure53 carried out a series of penetration testing and software inspections throughout May 2023 for a total period of 21 working days. A white-box approach was employed to test the security infrastructure and code soundness for all Mozilla applications, namely MacOS, Linux, Windows, iOS and Android VPN app.

Seven security flaws, two high and five at medium priority, "contributed to the decidedly mixed overall impression garnered for the Mozilla VPN client applications security resilience," the report reads.

If the code structure was deemed as "soundly composed" and free from memory corruption faults, experts found some of the VPN features to potentially expose users' data.

The most critical vulnerability affected the Mozilla VPN iOS app. Tests showed that the WireGuard configuration stored in the iOS Keychain was leaked to the iCloud via device backups if users don't explicitly opt in for Advanced Data Encryption. Mozilla claimed that Cure53 confirmed that this risk has been addressed by adding an extra layer of encryption.

Another high priority flaw was found on desktop as the mozillavpnp application did not sufficiently restrict the application caller, potentially allowing a malicious add-on to interact with the VPN and possibly even disable the VPN connection without the user knowing. Again, Mozilla assured to have addressed this risk as recommended by Cure53.

This is the user interface of Mozilla VPN's Windows app (Image credit: Mozilla)

As mentioned, Mozilla have reportedly fixed all the other medium and low vulnerabilities as recommended by Cure53. Similarly, the last security audit undergone in 2021 found major issues in Mozilla VPN that were all fixed during the auditing period.

On a more positive note, Cure53 also praised some of Mozilla features like split-tunneling and multi-hop connections which relied on established technology like Mullvad libraries and drivers. "The fact that these were integrated from scratch minimizes the likelihood of emerging weaknesses, with no notable concerns to report during the allocated assessment schedule," experts wrote.

Mozilla said to have decided to call in the third-party auditing firm again prior to releasing some new features. These include a malware blocking software launched in August as well as performance improvements like server location recommendations which was integrated across its apps in June.

The provider has also expanded its server network across 16 more European countries, including  Denmark, Hungary, Portugal, and more. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.