Security audit finds flaws with Mozilla VPN

Mozilla VPN on a Smartphone
(Image credit: Mozilla)

The Berlin-based cybersecurity firm Cure53 found some security flaws with Mozilla VPN apps during its last security audit. 

After reviewing all Mozilla's clients, a total of seven security vulnerabilities were discovered with two of these deemed as critical or high priority. The VPN service now ensures to have already addressed all the potential risks. 

Independent audits have increasingly become a regular practice among VPN companies which value transparency and security. This is the third time Mozilla has trusted Cure53 with such a task and it comes as the provider launched new features, including a new malware blocking system.

Mozilla's mixed results 

A team of five senior testers at Cure53 carried out a series of penetration testing and software inspections throughout May 2023 for a total period of 21 working days. A white-box approach was employed to test the security infrastructure and code soundness for all Mozilla applications, namely MacOS, Linux, Windows, iOS and Android VPN app.

Seven security flaws, two high and five at medium priority, "contributed to the decidedly mixed overall impression garnered for the Mozilla VPN client applications security resilience," the report reads.

If the code structure was deemed as "soundly composed" and free from memory corruption faults, experts found some of the VPN features to potentially expose users' data.

The most critical vulnerability affected the Mozilla VPN iOS app. Tests showed that the WireGuard configuration stored in the iOS Keychain was leaked to the iCloud via device backups if users don't explicitly opt in for Advanced Data Encryption. Mozilla claimed that Cure53 confirmed that this risk has been addressed by adding an extra layer of encryption.

Another high priority flaw was found on desktop as the mozillavpnp application did not sufficiently restrict the application caller, potentially allowing a malicious add-on to interact with the VPN and possibly even disable the VPN connection without the user knowing. Again, Mozilla assured to have addressed this risk as recommended by Cure53.

Mozilla VPN Windows App

This is the user interface of Mozilla VPN's Windows app (Image credit: Mozilla)

As mentioned, Mozilla have reportedly fixed all the other medium and low vulnerabilities as recommended by Cure53. Similarly, the last security audit undergone in 2021 found major issues in Mozilla VPN that were all fixed during the auditing period.

On a more positive note, Cure53 also praised some of Mozilla features like split-tunneling and multi-hop connections which relied on established technology like Mullvad libraries and drivers. "The fact that these were integrated from scratch minimizes the likelihood of emerging weaknesses, with no notable concerns to report during the allocated assessment schedule," experts wrote.

Mozilla said to have decided to call in the third-party auditing firm again prior to releasing some new features. These include a malware blocking software launched in August as well as performance improvements like server location recommendations which was integrated across its apps in June.

The provider has also expanded its server network across 16 more European countries, including  Denmark, Hungary, Portugal, and more. 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to