Software company Mozilla has filed a motion in court to compel the Federal Bureau of Investigation (FBI) to reveal how it managed to hack the Tor browser. Tor is partly built on the source code behind Mozilla’s Firefox browser, and the company said it is worried whatever bug federal agents exploited to attack the Tor network could also be used by hackers against Firefox.
The brief, which was filed Wednesday in U.S. District Court in Washington, is an amicus curiae in the case of United States of America v. Jay Michaud. According to the brief, Mozilla is acting as a third party not on behalf of either side, but rather with the intention of requiring the government to disclose the vulnerability to Mozilla before disclosing it to the defendant.
Millions at Risk
“Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability,” the company argued in its brief to the court.
Mozilla said it believes the exploit used by the FBI in the Michaud case is part of a previously unknown, and therefore potentially still active, vulnerability in the Firefox code base.
The company said its belief is based on the fact that a prior exploit of the Tor browser on the part of the government was alleged to have taken advantage of such a vulnerability. In addition, technical experts called during the case have testified that they believe the government has access to a Firefox vulnerability.
Mozilla said it has already contacted the government regarding the matter, but the feds have so far refused to disclose any information about the exploit, including whether it could be used against Firefox or other Mozilla products.
“We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Denelle Dixon-Thayer, Mozilla’s chief legal and business officer, wrote in a blog post.
Fixing the Vulnerability Before Disclosure
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” Dixon-Thayer added. “The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
The Michaud case centers on the FBI’s attempt to infiltrate a child porn Web site located on the so-called Dark Net. Dark Net Web sites can only be accessed via the Tor browser. The FBI said it used a vulnerability in the Firefox browser to take control of the site, which then uploaded malware to the computers of the site’s visitors.
Once the technique has been exposed in court, the code used by the FBI in its efforts could potentially be used by anyone to remotely place instructions on an individual’s system to send back specific information, according to Mozilla's court filing.
Image Credit: Screenshots via Mozilla/Firefox.