Mozilla announced about The completion of the independent audit of the client software to connect to the service Mozilla VPN . During the audit, an analysis was performed an analysis of a separate client Applications written using the Qt library and supplied for Linux, MacOS, Windows, Android and iOS. The work of Mozilla VPN provides more than 400 servers of the Swedish VPN provider MullVad placed in more than 30 countries. Connecting to the VPN service is performed using the WireGuard protocol.
Audit is made by Cure53, at one time I have conducted NTPSEC, Securedrop, Cryptocat, F-Droid and Dovecot projects. The audit touched upon testing of the source texts and included tests for identifying possible vulnerabilities (questions related to cryptography were not considered). During the inspection, 16 security problems were identified, 8 of which had the nature of the recommendations, 5 was assigned a low level of danger, two – medium, and one – high.
At the same time, only one problem with an average level of danger was attributed to the category of vulnerabilities, since only it was suitable for operation.
This problem led to a leak of VPN applications in the code to determine the Captive Portal due to sending unencrypted direct queries on HTTP transmitted outside the VPN tunnel and disclosing the main IP address of the user if the attacker can control transit traffic. The problem is solved by disconnecting the Captive Portal definition mode in the settings.
The second problem of the average level of danger is associated with the lack of proper cleaning of non-numeric values in the port number, which allows you to organize the leakage of OAuth authentheentification parameters through the port number to the port number “[email protected]”, which will lead to the addressed to Example.com instead 127.0.0.1.
The third problem marked as dangerous allows any local application without authentication to contact the VPN client through WebSocket affected by LocalHost. As an example, it is shown how with an active VPN client, any site could organize the creation and sending a screenshot through the generation of the SCREEN_CAPTURE event. The problem is not attributed to the category of vulnerabilities, since WebSocket was used only in internal test assemblies and the use of this communication channel was only planned in the future to organize interaction with a browser supplement.