Millions of users of Mozilla’s Firefox web browser may be at risk, thanks to a ruling handed out by a federal judge on Monday.
US District Court Judge Robert J. Bryan rejected Mozilla’s request to force the government to reveal a vulnerability that, the company believes, the FBI exploited as part of its investigation into child pornography.
Hunting down suspects
As part of that investigation, the FBI operated a child porn site on the anonymous Tor network called Playpen for almost two weeks in early 2015.
Websites on the Tor network, known as .onion sites, are normally accessed using a modified version of Firefox called the Tor Browser. Users and sites on the Tor network don’t reveal their IP addresses to each other in order to stop their locations being revealed.
During the fortnight that they operated Playpen, the agency used a so-called “network investigative technique” (NIT) to identify the website’s users. Computers visiting the site were unwittingly infected with code that could reveal their IP address, defeating the anonymity afforded by Tor.
A defense built on the vulnerability
The ruling is part of a case involving defendant Jay Michaud, a schoolteacher and one of 137 people facing US charges in connection with Playpen. Judge Bryan ordered the government to turn over information on the software flaw to Michaud’s defence team back in February.
The team wanted the details to help build his defence after a US federal judge threw out a case against another Playpen suspect, ruling that the FBI’s NIT warrant was improperly granted by a federal magistrate judge for a case outside her jurisdiction.
Fixing the flaw
Eager to fix the software bug, on 11 May 2016 Mozilla asked Judge Bryan to order the government to disclose the vulnerability to them at least two weeks before revealing it to Michaud, so it could patch the code. It argued that millions of users could be at risk once the vulnerability was revealed.
In the meantime, however, government prosecutors had sought to reverse Judge Bryan’s order, citing national security.
Last Thursday – a day after Mozilla filed its motion – Judge Bryan decided to reverse his original decision. That meant prosecutors – i.e. the government – no longer needed to disclose details of the vulnerability to Michaud … or Mozilla. Reuters commented:
Bryan on Monday said that made Mozilla’s request moot, adding it “appears that Mozilla’s concerns should be addressed to the United States.”
Keeping users secure
Mozilla has not given up. Reuters reports that Mozilla said in a statement that it would argue to the government that…
…the safest thing to do for user security is to disclose the vulnerability and allow it to be fixed.
We’ll just have to wait and see what comes next in this saga. After all, it’s still unclear if Firefox actually has a vulnerability; it’s not know whether the flaw exploited by the FBI is in the Tor code or Firefox’s code base, although Mozilla has commented on its blog:
Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser.
Whether Firefox has a flaw or not, its millions of users won’t feel safe until the situation is clear and any holes have been plugged.