Mozilla’s bid for Tor hack used in child porn case rejected

chrome and firefox

18/05/2016:A US judge has rejected a bid by Mozilla to disclose a vulnerability, connected to its Firefox browser, that was exploited by the FBI to track child predators the dark web.

Mozilla's attempt to intervene in a case against Jay Michaud, a school administrator charged in the investigation, was shot down on Monday by US district judge Robert Bryan in Tacoma, Washington, Reuters reports.

Prior to Mozilla's request, Bryan had instructed prosecutors to disclose to Michaud's lawyers a flaw in the Tor browser, which was allegedly used by the defendant to access images of child abuse.

Tor is partially based on the code for Mozilla's Firefox browser.

The US Department of Justice asked Bryan to reconsider, citing national security, and the judge said last Thursday that prosecutors did not need to make the disclosure to Michaud.

Mozilla had sent a bid to the judge last week requesting that it be briefed on the exploit the FBI used, so that it could close down the loophole, which it said could potentially affect users of its Firefox browser.

Responding to Mozilla's request on Monday, Bryan said its request was unlikely, adding, it "appears that Mozilla's concerns should be addressed to the United States".

Michaud is one of 137 people facing charges in the US after the FBI covertly seized control of a server hosting the website in question and tracked viewers of the site through Tor in February 2015.

13/05/2016:Mozilla wants the US government to disclose Firefox hack

Mozilla has asked the US government to provide it with information about a hack it used to catch an online criminal, saying it has the right to fix any security flaw before anyone else has the opportunity to use it.

Last year, the FBI exploited a zero-day flaw in the Tor browser, which was created partially from the Firefox base code, to catch an online child predator. The government continued to take advantage of the flaw to discover more criminals in the sexual abuse ring.

However, the FBI failed to share the vulnerability with anyone - not even Mozilla - just in case it wanted to use the security hole again. It has not been revealed whether the hole has been patched or not.

"At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,"Denelle Dixon-Thayer, Mozilla chief legal and business officer wrote in a blog post.

"The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability."

She explained having an unfixed flaw could prove dangerous, because other hackers could get their hands on it and use it to cause damage to individuals and companies.

"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," she added.

The FBI has also refused to provide details of the security flaw it used to access one of the San Bernadino shooters' iPhones to Apple, which has angered the manufacturer.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.