Mozilla Wants Heads-Up From FBI on Tor Browser Hack

A user of a dark web child-porn website is demanding access to the security vulnerability the FBI used to expose him. Mozilla wants to see it first, so it can fix it.

Photo: Mozilla in Europe

The maker of the Firefox browser is wading into an increasingly contentious court battle over an undisclosed security vulnerability the FBI used to track down anonymous users of a child-porn site.

The FBI took over a dark web child-pornography site called Playpen last year and, rather than shut it down, used a secret, still-undisclosed vulnerability in the Tor Browser to install malware on the computers of more than 1,000 users that allowed the FBI to determine their locations.

But in Tacoma, Washington, lawyers for a school administrator caught in the dragnet have successfully demanded the right to review the malware in order to pursue their argument that it, rather than he, was responsible for the illicit material ending up on his computer.

The Tor Browser is a free browser that shields a user’s identity. It is also based on code from the Firefox browser.

Mozilla, the organization behind Firefox, has long worried that the Tor Browser vulnerability might still be out there, could be exploited by bad actors, and could exist in Firefox, which is much more widely used than the Tor Browser.

So while it seems likely that the FBI will go to great lengths not to turn over the code – possibly dropping the case altogether – Mozilla’s top lawyer, Denelle Dixon-Thayer, is now arguing “that the government must disclose the vulnerability to us before it is disclosed to any other party.”

She explained: “Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.”

Dixon-Thayer noted that Mozilla isn’t taking sides, pro- or anti-disclosure. It just wants to make sure that if there is disclosure, Mozilla gets it first. Here is the legal brief Mozilla filed on Wednesday.

The issue of when the government should disclose security vulnerabilities is a hotly contested issue outside the courtroom as well.

The Obama administration’s policy is that when the government learns of a new flaw, it has to submit the flaw to an interagency group. The White House says that group has a “strong bias” toward disclosure to vendors so that they can fix them, rather than just letting the agencies keep the flaws secret and continue to use them. But the evidence suggests that is not the case.

Top photo: “Mozilla Booth” by Mozilla in Europe using CC BY 2.0, photo cropped.

Join The Conversation