Mozilla’s bid for Tor hack used in child porn case rejected

Firefox maker will not be granted access to an exploit the FBI uncovered in Tor

18/05/2016:A US judge has rejected a bid by Mozilla to disclose a vulnerability, connected to its Firefox browser, that was exploited by the FBI to track child predators the dark web.

Mozilla's attempt to intervene in a case against Jay Michaud, a school administrator charged in the investigation, was shot down on Monday by US district judge Robert Bryan in Tacoma, Washington, Reuters reports.

Prior to Mozilla's request, Bryan had instructed prosecutors to disclose to Michaud's lawyers a flaw in the Tor browser, which was allegedly used by the defendant to access images of child abuse.

Tor is partially based on the code for Mozilla's Firefox browser.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The US Department of Justice asked Bryan to reconsider, citing national security, and the judge said last Thursday that prosecutors did not need to make the disclosure to Michaud.

Mozilla had sent a bid to the judge last week requesting that it be briefed on the exploit the FBI used, so that it could close down the loophole, which it said could potentially affect users of its Firefox browser.

Responding to Mozilla's request on Monday, Bryan said its request was unlikely, adding, it "appears that Mozilla's concerns should be addressed to the United States".

Michaud is one of 137 people facing charges in the US after the FBI covertly seized control of a server hosting the website in question and tracked viewers of the site through Tor in February 2015.

13/05/2016:Mozilla wants the US government to disclose Firefox hack

Mozilla has asked the US government to provide it with information about a hack it used to catch an online criminal, saying it has the right to fix any security flaw before anyone else has the opportunity to use it.

Advertisement - Article continues below

Last year, the FBI exploited a zero-day flaw in the Tor browser, which was created partially from the Firefox base code, to catch an online child predator. The government continued to take advantage of the flaw to discover more criminals in the sexual abuse ring.

However, the FBI failed to share the vulnerability with anyone - not even Mozilla - just in case it wanted to use the security hole again. It has not been revealed whether the hole has been patched or not.

"At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,"Denelle Dixon-Thayer, Mozilla chief legal and business officer wrote in a blog post.

"The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability."

Advertisement
Advertisement - Article continues below

She explained having an unfixed flaw could prove dangerous, because other hackers could get their hands on it and use it to cause damage to individuals and companies.

"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," she added.

Advertisement - Article continues below

The FBI has also refused to provide details of the security flaw it used to access one of the San Bernadino shooters' iPhones to Apple, which has angered the manufacturer.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/28014/how-to-enable-private-browsing
web browser

How to enable private browsing on any browser

25 Jun 2019
Visit/web-browsers/24796/which-is-the-best-browser-chrome-vs-firefox-vs-microsoft-edge
web browser

Google Chrome vs Firefox vs Microsoft Edge

30 Apr 2019

Most Popular

Visit/cloud/cloud-computing/354767/google-cloud-snaps-up-multi-cloud-analytics-platform-for-26bn
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/cloud/microsoft-azure/354771/microsoft-azure-is-a-testament-to-satya-nadellas-strategic-nouse
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020