Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Judge to Mozilla: Ask FBI for Firefox Vulnerability Details

Mozilla Says Millions of Users May Be at Risk
Judge to Mozilla: Ask FBI for Firefox Vulnerability Details

Mozilla has been wondering if the FBI exploited a vulnerability in its Firefox browser as part of a sweeping child pornography investigation. But it appears that no answer will be immediately forthcoming.

See Also: The Ultimate PIA and DPIA Handbook for Privacy Professionals

U.S. District Court Judge Robert J. Bryan on Monday denied Mozilla's request to intervene in a criminal case related to Playpen, a child pornography site shut down by the FBI last year.

"It appears that Mozilla's concerns should be addressed to the United States and should not be part of this criminal proceeding," Bryan wrote in a related order.

Mozilla officials could not be reached for comment on Tuesday. The organization has said it has already tried to approach the government directly for the information but that its request was refused.

Mozilla sought to force the government to reveal the software flaw, arguing that its disclosure to Jay Michaud's defense team could put millions of its users at risk if details of it leaked.

Michaud's defense team had sought the details of the software flaw to help build his defense. He was arrested in July 2015 on suspicion of possessing child pornography and charged in U.S. District Court in Tacoma, Wash., as part of the FBI's Playpen investigation. Michaud was working as a middle school teacher and has been placed on administrative leave until the outcome of his case is known.

On Feb. 17, Bryan ordered the government to turn over the information to Michaud's defense team. Government prosecutors, however, sought to reverse the order.

In response, Mozilla filed a motion on May 11 asking to intervene in the case. It petitioned the court to be provided with the vulnerability details no less than two weeks before the defense received them, in order to engineer a patch.

Judge Reverses Order

But a day after Mozilla's motion was filed, Bryan reversed his February ruling, and allowed the government to keep the vulnerability information secret. On Monday, he then denied Mozilla's motion, saying the issue was now "moot."

Playpen was a "hidden" website that used the Tor anonymity network to mask its true IP address. Hidden websites have ".onion" URLs and can only be browsed to by using the Tor browser, which is a modified version of Firefox.

The FBI had control of Playpen for almost two weeks in early 2015. The agency is believed to have used the vulnerability in order to learn the true IP addresses of computers that used the Tor browser to visit the website, and then traced those IP addresses back to unmask suspected Playpen users. It is unclear if the flaw exploited by the FBI is in the Tor code or Firefox's code base.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.