While completing vendor risk assessments with our enterprise customers, one topic has come up a few times: the WonderSwitcher. Our browser plugin (that makes testing geoIP and browser Geolocation applications a breeze) is also the only piece of code we write that sits on customers' computers. A third-party security audit was in order.
To perform the audit, we selected Cure53, a respected code audit and penetration testing firm. We felt their experience in the industry would bring both tremendous value to our software, and peace of mind to our customers. I had some initial concern that the unusual thing we were auditing (a browser plugin) would be a problem, but the professionals at Cure53 didn't miss a beat.
We wanted to assure customers that the Switcher does what we say it does (switch proxy servers), without sending secret data back to us, and without being vulnerable to malicious activity. An audit that concentrates on the Switcher will necessarily include ways that the Switcher can communicate with other systems. One system that communicates with the Switcher is the wonderproxy.com website, so features like the account server import were part of the audit.
The Cure53 team found three vulnerabilities and four miscellaneous issues between the Switcher and our website.
- WON-01-002 Extension: 3rd-party extensions can send store commands (Medium)
- WON-01-005 Proxy: DNS lookup error page leaks user credentials (High)
- WON-01-006 Extension: Missing validation for imported server data (Low)
- WON-01-001 Firefox: Proxy bypass via ftp protocol handler (Info)
- WON-01-003 Extension: Fake geolocation can be bypassed (Info)
- WON-01-004 Proxy: User IP disclosed via overlong header error page (Info)
- WON-01-007 Extension: PAC script injection via proxy information (Info)
Fixing the proxy server issues (005 and 004) involved changing the error message displayed to users by our proxy servers themselves. The Firefox issue (001) we resolved by documenting the bypass. The issues in the Switcher itself (002, 003, 006, and 007) were resolved in version 4.5.1 and released on September 14th, 2020. The Firefox developer center provides version data, so we’re able to see that uptake was swift:
If you're interested in the details of each fix, you're in luck! See Tom Riley's follow up post.
We'd like to thank the team at Cure53 for their work. We found them easy to work with, and their detailed report was instrumental as we worked to find and resolve the issues they found.