Non-profit reveals more favorable results than those uncovered by similar review last year
UPDATED Mozilla has published the results of an independently conducted audit of its virtual private network (VPN) technology.
The initiative – part of the Firefox developer’s efforts to offer greater transparency in its plans to improve user security and privacy – was conducted by German security outfit Cure53.
The audit involved a combination of source code reviews and a penetration test, taking a ‘white box’ approach to security auditing. A team of seven from Cure53 carried out the audit over a combined period of 25 days.
The review is the second on Mozilla’s technology by Cure53. The first audit happened in August 2020 and yielded several issues, including a critical-severity bug. “A lot of development work has been done since then,” Cure53 concluded.
Mozilla told The Daily Swig: "We partnered with Cure53 in 2020 to conduct an audit of the first iteration of Mozilla VPN. However, shortly after this audit, we underwent a full re-architecture to make Mozilla VPN more cross platform utilizing the Qt-framework instead of managing per platform code bases. We did issue a public advisory resulting from that report, which can be found here."
What’s in the box?
This year’s exercise led to the discovery of a rare example of a cross-site web socket hijacking vulnerability.
The high severity flaw meant that Mozilla VPN client, when put in debug mode, “exposes a WebSocket interface to localhost to trigger events and retrieve logs”. Since the WebSocket interface only features in pre-release test builds of the software, customers were not impacted by the issue.
Cure53’s painstaking audit of Mozilla’s code on all supported platforms (macOS, Linux, Windows, iOS, and Android) also uncovered two medium severity flaws in mainstream builds of the software.
In cases where the captive portal detection mechanism has been activated, Mozilla’s VPN client allows the sending of unencrypted HTTP requests outside the encrypted tunnel to certain IP addresses.
Although strict disciplinarians would categorise this behaviour as a medium risk flaw, the same approach is used across industry by Firefox, Chrome, and the network manager of macOS among other applications.
The captive portal detection algorithm requires a plain-text HTTP trusted endpoint to work, with captive portal detection offering benefits to users that arguably exceed the security risks.
Where it’s @
Another issue uncovered by the audit is more befitting of the description of a medium risk threat.
This flaw means that an authentication code could be leaked because of flaws in the authentication flow in Mozilla’s technology.
When a user wants to log into Mozilla VPN, the VPN client makes a request to a Mozilla site in order to obtain an authorization URL. The endpoint takes a port parameter that will be reflected in an <img> element after the user signs into the web page.
Security auditors at Cure53 found that the port parameter could be of an arbitrary value.
“Further, it was possible to inject the @ sign, so that the request will go to an arbitrary host instead of localhost (the site’s strict Content Security Policy prevented such requests from being sent),” according to Cure53.
Mozilla resolved the issue by improving the port number parsing in the REST API component of the software.
Mozilla told The Daily Swig about the broad objectives of its audits, which extend beyond the Firefox VPN evaluation run by Cure53.
"We conduct both internal and external security audits for many of our products," it said. "The types of audits and their frequency is something we balance on a per product basis and follows a risk-based model."
"Our broad objective with these audits is to function as a strong and independent view to compliment our internal security program and our public bug bounty program," the Firefox developer added.
The Daily Swig also invited Cure53 to comment on its audit. No word back as yet but we’ll update this story as and when more information comes to hand.
This story was updated to include comment from Mozilla