On Tuesday, Mozilla released a report describing the findings of a security audit conducted on its Mozilla VPN product.
Mozilla VPN is an open source virtual private network that is available as a browser extension, desktop application, and mobile app which was officially introduced in July 2020. Mozilla VPN is now available in 13 countries around North America, Europe, and APAC region.
Mozilla hired Cure53, a security services firm located in Germany, to analyze the Mozilla VPN apps for Windows, Linux, macOS, iOS, and Android earlier this year, and the results of the audit were made public this week.
The company’s analysis resulted in the discovery of one vulnerability and 15 “miscellaneous issues” that, according to the researchers, do not lead to an exploit but may aid attackers in reaching their objectives.
The medium-severity flaw could lead to user deanonymization if specific conditions are met: an attacker must be able to passively monitor network traffic, which is normally only accomplished by nation-state threat actors. The vulnerability affects a captive portal detection technique, and Mozilla has decided not to patch it since the benefits to users outweigh the security risk.
One of the miscellaneous issues has been identified as high severity, while the other have been rated as medium severity. The remaining issues have been classified as low severity or being informational.
When in debug mode, the VPN client exposes a WebSocket interface to localhost, which is a high-severity issue. An attacker could have taken advantage of this by convincing the target user to visit a malicious website. Customers, on the other hand, were unaffected because the impacted WebSocket interface was only utilised in pre-release test builds.