On Wednesday, Mozilla filed a motion asking the FBI to disclose a potential vulnerability in the Firefox browser that the bureau allegedly used to hack visitors of a child pornography site. The move is likely to trigger a fierce debate around the responsibility of governments to disclosure vulnerabilities used in investigations to affected companies.
"Absent great care, the security of millions of individuals using Mozilla's Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability," James E Howard, an attorney for Mozilla, writes. Mozilla is also asking the FBI for confirmation of what Mozilla products, if any, the vulnerability affects.
"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," Denelle Dixon-Thayer, chief legal and business officer at Mozilla, elaborated in a blog post published Wednesday.
The filing was made as part of a case involving dark web child pornography site "Playpen." In February 2015, the FBI took over Playpen and deployed a network investigative technique (NIT)—the agency's term for a hacking tool—in order to identify users of the site. In all, the FBI hacked over a thousand computers in the US, and over three thousand abroad.
In an affected case, a judge ordered the FBI to provide the full exploit code used to the defense under a protective order. That exploit, as Motherboard previously reported, may not have only affected the Tor Browser, which would have likely been used by Playpen users to connect to the site, but Firefox too.
"It makes no sense to allow the information about the vulnerability to be disclosed to an alleged criminal, but not allow it to be disclosed to Mozilla," the filing reads,
Mozilla claims to have contacted the government asking for more information about the NIT, but has not been provided with any.
"Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla's products," Howard writes. In a comment previously provided to Motherboard, a Mozilla spokesperson said that "Mozilla has never received a vulnerability disclosure from FBI."
The main thrust of Mozilla's argument is that if this potential vulnerability does affect Firefox, that puts hundreds of millions of users at risks; users who could be protected if Mozilla was given more information about the vulnerability, and then the opportunity to patch it if necessary.
"To protect the safety of Firefox users, and the integrity of the systems and networks that rely on Firefox, Mozilla requests that the Court order that the Government disclose the exploit to Mozilla at least 14 days before any disclosure to the Defendant, so Mozilla can analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users' systems by nefarious actors," Howard writes. As the filing points out, Mozilla is used by ordinary citizens, corporations, and government entities alike, including the US, and on tablets, computers, and mobile phones.
Mozilla says it has reason to believe that the exploit used in the Playpen investigation relies on an active vulnerability in Firefox, pointing to testimony from an FBI agent, and the fact that the Tor Browser, which would have likely been used by visitors of Playpen, is heavily based on Firefox.
Mozilla, however, is concerned that the protective order currently in place for the defense's handling of the vulnerability is inadequate, considering the huge ramifications its exposure could have.
"The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember," the filing reads, and points out more technical protections taken in other cases. From here, Mozilla argues that the protective order should be modified as well, to ensure that details of the vulnerability do not spill out into the public domain.
"The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don't believe that this makes sense because it doesn't allow the vulnerability to be fixed before it is more widely disclosed," Dixon-Thayer continued in her blog post.
"If a vulnerability is publicly disclosed before a company is notified, criminals can quickly mount attacks using the published information," the filing adds.
This is one of the most high profile cases to revolve around the issue of governments disclosing vulnerabilities to affected vendors. Recently, the FBI said it could not disclose a security issue used to brute-force entry into the San Bernardino iPhone, because the agency did not possess enough information to do so."Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly," Dixon-Thayer added.