Mozilla has filed a motion [PDF] with a U.S. district court requesting information about potential Firefox vulnerabilities unearthed by the government in a criminal investigation.
This demand relates to an ongoing case brought about by the FBI after it hacked a Dark Web child pornography website back in February 2015 and ran it from a government facility in Virginia. The exploit discovered by the FBI was reportedly found in the Tor Browser, software that provides anonymity to online users. Tor is essentially built on the same base code as the open-source Firefox browser, which had led to speculation that the vulnerability actually lies in the Firefox code.
Mozilla’s motion, which was filed in the United States District Court, Western District of Washington yesterday, lays out the company’s case that it should be granted access to the details of the vulnerability so as to ascertain whether the exploit also impacts the main Mozilla Firefox browser.
The Government has refused to tell Mozilla whether the vulnerability at issue in this case involves a Mozilla product. Nevertheless, Mozilla has reason to believe that the Exploit the Government used is an active vulnerability in its Firefox code base that could be used to compromise users and systems running the browser.
The defendants in the criminal case were granted access to the malware code that was used, though the Department of Justice initially resisted. Now Mozilla wants access to the same information.
“The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability,” said Denelle Dixon-Thayer, chief legal and business officer at Mozilla Corporation, in a blog post. “We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
The Mozilla case bears striking similarities to the ongoing feud between Apple and the government, after the White House refused to disclose the unlocking method used to access an iPhone belonging to one of the San Bernardino killers. There is a tangible tension between tech companies and authorities, and with Mozilla now claiming that the government has refused to divulge the exploit it used to infiltrate Tor, this division will surely widen.
“Governments and technology companies both have a role to play in ensuring people’s security online,” added Dixon-Thayer. “Disclosing vulnerabilities to technology companies first allows us to do our job to prevent users from being harmed and to make the Web more secure.”