The provided staging build contains the Mozilla VPN WebSocket Controller, which
exposes a WebSocket endpoint on localhost. No additional authentication is required to
interact with this port, thus allowing any website to connect and interact with the VPN
client. At the beginning of the audit, Mozilla assured that this WebSocket server is only
part of the staging build. However, later it was revealed that Mozilla would like to reuse
this connection for communication with a browser extension in the future. Thus, Cure53
decided to report this issue.
The following code can be hosted on an arbitrary website. When Mozilla VPN is running,
the website will connect to the WebSocket port and request a screenshot. This
screenshot can then be leaked to the attacker.
The provided staging build contains the Mozilla VPN WebSocket Controller, which
exposes a WebSocket endpoint on localhost. No additional authentication is required to
interact with this port, thus allowing any website to connect and interact with the VPN
client. At the beginning of the audit, Mozilla assured that this WebSocket server is only
part of the staging build. However, later it was revealed that Mozilla would like to reuse
this connection for communication with a browser extension in the future. Thus, Cure53
decided to report this issue.
The following code can be hosted on an arbitrary website. When Mozilla VPN is running,
the website will connect to the WebSocket port and request a screenshot. This
screenshot can then be leaked to the attacker.
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: