Mozilla’s bid for Tor hack used in child porn case rejected

Firefox maker will not be granted access to an exploit the FBI uncovered in Tor

18/05/2016:A US judge has rejected a bid by Mozilla to disclose a vulnerability, connected to its Firefox browser, that was exploited by the FBI to track child predators the dark web.

Mozilla's attempt to intervene in a case against Jay Michaud, a school administrator charged in the investigation, was shot down on Monday by US district judge Robert Bryan in Tacoma, Washington, Reuters reports.

Prior to Mozilla's request, Bryan had instructed prosecutors to disclose to Michaud's lawyers a flaw in the Tor browser, which was allegedly used by the defendant to access images of child abuse.

Tor is partially based on the code for Mozilla's Firefox browser.

The US Department of Justice asked Bryan to reconsider, citing national security, and the judge said last Thursday that prosecutors did not need to make the disclosure to Michaud.

Mozilla had sent a bid to the judge last week requesting that it be briefed on the exploit the FBI used, so that it could close down the loophole, which it said could potentially affect users of its Firefox browser.

Responding to Mozilla's request on Monday, Bryan said its request was unlikely, adding, it "appears that Mozilla's concerns should be addressed to the United States".

Michaud is one of 137 people facing charges in the US after the FBI covertly seized control of a server hosting the website in question and tracked viewers of the site through Tor in February 2015.

13/05/2016:Mozilla wants the US government to disclose Firefox hack

Mozilla has asked the US government to provide it with information about a hack it used to catch an online criminal, saying it has the right to fix any security flaw before anyone else has the opportunity to use it.

Last year, the FBI exploited a zero-day flaw in the Tor browser, which was created partially from the Firefox base code, to catch an online child predator. The government continued to take advantage of the flaw to discover more criminals in the sexual abuse ring.

However, the FBI failed to share the vulnerability with anyone - not even Mozilla - just in case it wanted to use the security hole again. It has not been revealed whether the hole has been patched or not.

"At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,"Denelle Dixon-Thayer, Mozilla chief legal and business officer wrote in a blog post.

"The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability."

She explained having an unfixed flaw could prove dangerous, because other hackers could get their hands on it and use it to cause damage to individuals and companies.

"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," she added.

The FBI has also refused to provide details of the security flaw it used to access one of the San Bernadino shooters' iPhones to Apple, which has angered the manufacturer.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021
Mozilla and Brave release one-click method for online privacy requests
web browser

Mozilla and Brave release one-click method for online privacy requests

7 Oct 2020

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021