Mozilla’s bid for Tor hack used in child porn case rejected

Firefox maker will not be granted access to an exploit the FBI uncovered in Tor

18/05/2016:A US judge has rejected a bid by Mozilla to disclose a vulnerability, connected to its Firefox browser, that was exploited by the FBI to track child predators the dark web.

Mozilla's attempt to intervene in a case against Jay Michaud, a school administrator charged in the investigation, was shot down on Monday by US district judge Robert Bryan in Tacoma, Washington, Reuters reports.

Prior to Mozilla's request, Bryan had instructed prosecutors to disclose to Michaud's lawyers a flaw in the Tor browser, which was allegedly used by the defendant to access images of child abuse.

Tor is partially based on the code for Mozilla's Firefox browser.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The US Department of Justice asked Bryan to reconsider, citing national security, and the judge said last Thursday that prosecutors did not need to make the disclosure to Michaud.

Mozilla had sent a bid to the judge last week requesting that it be briefed on the exploit the FBI used, so that it could close down the loophole, which it said could potentially affect users of its Firefox browser.

Responding to Mozilla's request on Monday, Bryan said its request was unlikely, adding, it "appears that Mozilla's concerns should be addressed to the United States".

Michaud is one of 137 people facing charges in the US after the FBI covertly seized control of a server hosting the website in question and tracked viewers of the site through Tor in February 2015.

13/05/2016:Mozilla wants the US government to disclose Firefox hack

Mozilla has asked the US government to provide it with information about a hack it used to catch an online criminal, saying it has the right to fix any security flaw before anyone else has the opportunity to use it.

Advertisement - Article continues below

Last year, the FBI exploited a zero-day flaw in the Tor browser, which was created partially from the Firefox base code, to catch an online child predator. The government continued to take advantage of the flaw to discover more criminals in the sexual abuse ring.

However, the FBI failed to share the vulnerability with anyone - not even Mozilla - just in case it wanted to use the security hole again. It has not been revealed whether the hole has been patched or not.

"At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,"Denelle Dixon-Thayer, Mozilla chief legal and business officer wrote in a blog post.

"The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability."

Advertisement
Advertisement - Article continues below

She explained having an unfixed flaw could prove dangerous, because other hackers could get their hands on it and use it to cause damage to individuals and companies.

"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," she added.

Advertisement - Article continues below

The FBI has also refused to provide details of the security flaw it used to access one of the San Bernadino shooters' iPhones to Apple, which has angered the manufacturer.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/28014/how-to-enable-private-browsing
web browser

How to enable private browsing on any browser

25 Jun 2019
Visit/web-browsers/24796/which-is-the-best-browser-chrome-vs-firefox-vs-microsoft-edge
web browser

Google Chrome vs Firefox vs Microsoft Edge

30 Apr 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/network-internet/broadband/354530/openreach-offers-free-full-fibre-installation-for-thousands-of
broadband

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020