Mozilla has released the findings of a recent independent security audit of its VPN services, underscoring its dedication to user privacy and security. The audit identified security issues, which Mozilla is addressing to ensure enhanced user privacy and security.
Many search marketers rely on VPNs for business purposes, particularly when using public Wi-Fi to protect sensitive data. Therefore, the reliability of a VPN is crucial.
Mozilla VPN
A Virtual Private Network (VPN) is a service that encrypts a user’s internet traffic to prevent third parties, such as ISPs, from monitoring website visits. VPNs also provide additional security protections against malicious activities like session hijacking, preventing unauthorized access to the websites visited by the user. Users generally expect VPNs to safeguard their privacy while browsing the internet. To ensure their VPN service is highly secure, Mozilla employs third-party services to conduct security audits.
Mozilla VPN Has Strong Security
The security report highlighted several strengths of Mozilla’s VPN, including protective measures for the Linux and MacOS versions and the key management implementation. Similar findings were noted for the Windows version, including checks for DNS leak issues specific to Windows 10.
Security Vendor’s Observations:
“In spite of the audit team’s exhaustive approaches, no associated shortcomings were discovered in this regard. The Windows VPN application uses the system’s credential storage to securely store authentication data.”
Despite these strengths, the security vendor identified additional security concerns and recommended allocating more resources for privacy assurance.
Recommendations:
“Cure53 would like to draw attention to the increased yield of findings encountered for this examination. It is recommended that the developer team invest further time and resources into analyzing all potential attack vectors, especially when exposing functionality from the VPN client externally.”
Security Risks Discovered
The audit uncovered vulnerabilities of medium or higher severity, including Denial of Service (DoS) risks, keychain access leaks related to encryption, and insufficient access controls. Cure53, the security firm, identified and addressed several risks. Concerns included potential VPN leaks and vulnerabilities allowing rogue extensions to disable the VPN.
Scope of the Audit Included:
- Mozilla VPN Qt6 App for macOS
- Mozilla VPN Qt6 App for Linux
- Mozilla VPN Qt6 App for Windows
- Mozilla VPN Qt6 App for iOS
- Mozilla VPN Qt6 App for Android
Identified Risks:
- FVP-03-003: DoS via serialized intent
- FVP-03-008: Keychain access level leaks WG private key to iCloud
- VP-03-010: VPN leak via captive portal detection
- FVP-03-011: Lack of local TCP server access controls
- FVP-03-012: Rogue extension can disable VPN using mozillavpnnp (High)
The issue involving rogue extensions was rated as high severity, but Mozilla has since addressed each risk.
Security Audit and Transparency = High-Quality Secure VPN
Mozilla shared the audit results to demonstrate their commitment to transparency and to maintain user trust and security. Third-party security audits are a best practice for VPN providers to ensure trustworthiness and reliability. The audit results emphasize that Mozilla VPN is a highly secure product. Mozilla’s transparency further enhances the VPN’s reputation as a secure and trustworthy choice.
Featured Image by Shutterstock/Meilun
