Mozilla wants feds to turn over Firefox hack used to catch sex offender

In a court filing, the browser maker said the government should not sit on a vulnerability that threatens millions of users.


(Image: file photo via CNET/CBS Interactive)

Mozilla is asking the US government to disclose how it hacked its browser in order to catch an online predator.

The browser maker argued in a blog post that the FBI should turn over details of the flaw "before it is disclosed to any other party."

Last year, the FBI exploited a previously undisclosed zero-day flaw in Tor's browser bundle, which consists of a modified version of Firefox, in an effort to identify users of a child sexual abuse website. The feds continued to operate the servers allowing suspects to visit the site, allowing law enforcement to draw up arrest warrants.

"We aren't taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure," said Denelle Dixon-Thayer, Mozilla chief legal and business officer.

In the amicus brief filed Wednesday, the company said the flaw could "in the wrong hands," which "could result in millions of ransomware infections."

She added:

"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability."

The flaw should be disclosed as part of the government's so-called Vulnerabilities Equities Process, which determines if a flaw should be used for intelligence purposes, or privately disclosed.

Earlier this month, the FBI said it would not reveal the flaw it used to hack into the iPhone used by one of the San Bernardino shooters.

Apple said it would not sue to discover the method used, likely leaving questions unanswered about how federal agents cracked the device's security.