FBI allegedly discovered Mozilla Firefox flaw when investigating child porn websites
Mozilla has urged the FBI to disclose the details of a potentially serious security vulnerability discovered in its Firefox browser during a criminal investigation.
The bureau apparently uncovered the flaw when investigating a child pornography ring, and used the vulnerability to capture and prosecute several paedophiles.
But Mozilla has now filed a legal brief asking the bureau to share the software vulnerabilities found so it can fix them before any innocent users are affected.
Mozilla is concerned that this technique exploited a flaw in the Tor browser used by paedophiles to access the site. Tor is partly powered by the same code used in Firefox, and Mozilla is now urging the FBI to provide the full exploit code it used to ensure that Firefox is not compromised in any way.
The FBI has already been ordered by the judge in a separate case to reveal these details to the defence team, but not to any of the entities (including Mozilla) that could actually fix the vulnerability.
“It makes no sense to allow the information about the vulnerability to be disclosed to an alleged criminal, but not allow it to be disclosed to Mozilla,” Mozilla’s filing states.
The filing was revealed in a Mozilla blog post, in which Denelle Dixon-Thayer, chief legal and business officer at the company urged the FBI to share what it had found.
“We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” she wrote.
The case concerns an FBI investigation into Playpen, a dark web child pornography site that was taken over by the bureau in February 2015. It was then able to deploy a hacking tool known as network investigative technique (NIT) in order to identify users of the site.
Overall, over a thousand computers were hacked using this method in the US, and over three thousand more abroad.
“Governments and technology companies both have a role to play in ensuring people’s security online. Disclosing vulnerabilities to technology companies first, allows us to do our job to prevent users from being harmed and to make the Web more secure,” Dixon-Theyer added.
The FBI has come under fire for not revealing details of a flaw it found in iOS that allowed it to access an iPhone 5C device involved in a terrorist attack in San Bernadino, California last year.
How well do you know your web browsers? Take our quiz!