Mozilla Foundation Security Advisory 2021-31
Multiple Low Security Issues in Mozilla VPN
- Announced
- July 14, 2021
- Impact
- low
- Products
- Mozilla VPN
- Fixed in
-
- Mozilla VPN 2.3
Multiple low security issues were discovered in a security audit of Mozilla VPN 2.0 branch
#CVE-2021-29978: Multiple low security issues were discovered in a security audit of Mozilla VPN 2.0 branch
- Reporter
- Cure53
- Impact
- low
Description
Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit.
References
- Balrog did not verify certificate chain on macOS
- Balrog incorrectly verified certificate chain
- ATS policy unnecessarily weakened
- Authenticationlistener allowed disturbance of login
- Race condition in Ping Sender could expose gateway IP
- Android app allowed backups of application data
- Secure flag missing on views for Android app
- Android app supported insecure v1 signature
- Information disclosure via device endpoint
- Unencrypted shared preferences
- Android app exposes sensitive data to system logs
- Cross-site WebSocket hijacking
- Auth code could be leaked by injecting port
- Authentication listener allows disturbance of login