Mozilla’s bid to disclose its vulnerability was rejected by a US judge. US district court judge Robert Bryan in Tacoma, Washington. Before Mozilla requested anything, Bryan told prosecutors to give information on the flaw in the Tor browser the FBI used to track Michaud’s whereabouts. The Justice Department asked Bryan to reconsider, saying it was due to a national security risk, but the judge said last Thursday that prosecutors didn’t have to.
Mozilla sent a request to the judge for the information so they could shut down the vulnerability which they say is a security risk to Firefox users.
“It appears that Mozilla’s concerns should be addressed to the United States,” Bryan said.
One of 137 others, Michaud is facing charged in the US due to the FBI seizure of Playpen. Mozilla said it has a right to know about the hack used by the FBI to track the online criminal so it can be fixed before anyone else has the chance to use it. An online child predator was caught using a zero-day exploit in Tor, which contains similar code as Firefox. The FBI continued to use it to catch more predators in the Playpen child porn ring.
In spite of the requests, the FBI never gave up any information to anyone in case they need to use it again; and it is unknown if the issue has been fixed or not.
“The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. At this point no one, including us, outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” Mozilla’s chief legal and business officer Denelle Dixon-Thayer wrote in a blog post recently.
She went on to explain that having the issue unfixed could be dangerous due to other hackers being able to find out and use it to hack people and companies.
“We aren’t taking sides in the case, but we are on the side of hundreds of users who could benefit from timely disclosure,” she also wrote.
This isn’t the only time the FBI has refused to share information. They also wouldn’t give up any information on how they managed to hack the San Bernardino shooters iPhone.