Remember how the FBI took advantage of an unknown flaw in the Firefox browser and the Tor anonymity network to hack a child pornography site? Mozilla has taken a legal action by requesting the U.S. District Court in Tacoma, Washington, to force the law enforcement agency to provide the company with details of how Firefox was exploited.
Prior to the deadline that requires the FBI to disclose the Firefox and Tor exploits to a court case defendant, Mozilla wants the agency reveal first the flaw to the company so that it plans to quickly patch the bug before attackers can take advantage of it.
Mozilla’s legal team maintains that industry best practices dictate that disclosure of vulnerabilities as ordered by the court must first be made in advance to the security researchers of the affected technology firm in order to fix the flaw before it is uncovered by the bad actors. Despite the government’s refusal to target the Tor and Firefox code in an investigation process, the FBI continued to exploit the Tor browser, which is in part made up of Firefox open source code.
Mozilla warns that if the vulnerability leaks to the hacker community, at risk are millions of users of the Firefox browser as well as other products because the browser is based on an open source code, thereby making the code continuously available to developers who might view and repurpose it to create other products. That was how Tor was conceived in the first place.
In February, the FBI captured the site servers of Jay Michaud, arrested for possessing child pornographic videos, by applying the Firefox and Tor vulnerabilities to the site. Mozilla even now does not have a clear knowledge of the kind of flaw the FBI used to capture the servers. The company also laments that the judge agreed to let the government disclose the flaw to the defendant, but not to Mozilla that could patch the vulnerability.
Mozilla fears that the government, specifically the FBI, could be planning to stockpile the exploit in order to target the company’s products for future investigations. The FBI recently cracked an iPhone using an exploit it purchased from an unknown entity. Similarly, the government is also said to stockpile zero-day vulnerabilities.
Mozilla’s legal counsel believes any vulnerability can put users in danger and so it urges people, including the government, to disclose any discovered flaw to them the soonest to roll out a fix.