Mozilla is pressing the government to disclose a possible security vulnerability in its Firefox web browser that helped the FBI track down visitors to a child pornography site.
The vulnerability is at the center of a case in the Western District of Washington. Mozilla filed a brief on Wednesday with the court asking that the FBI disclose the vulnerability to it before releasing it to anyone else, including the defendant in the case.
{mosads}Mozilla said there is good reason to believe the unknown vulnerability is still active and it is putting millions of users at risk.
“Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well,” the group wrote in the court filing.
The federal case centers around a child pornography website that the FBI took over in order to track visitors to the site. The site was located on the deep web outside the reach of common search engines. To access it, users were required to have special anonymity software, called the Tor Browser, which is partially based on Firefox’s open source code.
The FBI exploited a software vulnerability in the Tor network that allowed law enforcement to trace the location of the computers visiting the site. Because Tor’s code is partially based on Firefox, the group believes the vulnerability is widespread.
“Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products,” the group said.
Earlier this year, the court ordered that the government turn over some evidence to the defendant, Jay Michaud, in the child porn case, including the hacking technique it used.
Mozilla said it has no problem if the government eventually turns over the information. But the group wants a two-week head start so it can patch the Firefox security hole.
“Although Mozilla is not opposed to disclosure to the Defendant, any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability,” the group wrote.