(Cyberwar.news) Mozilla is pressing the U.S. government to provide it with details of a possible security vulnerability in its Firefox web browser that enabled the FBI to track down visitors to a child pornography site, The Hill reported.
The vulnerability is at the center of a case in the Western District of Washington, where Mozilla filed a brief last week asking the court to order the FBI to disclose the vulnerability before releasing it to anyone else, including a defendant in the case.
The Firefox designer said in the brief there is a good reason to believe that the unknown vulnerability may still be active and that it is putting users at risk.
“Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well,” the group wrote in the court filing.
The federal case involves a child pornography web site that the FBI took over so it could track site visitors. The site was being hosted on the deep web outside the reach of the common search engines. In order to gain access to the site users were required to have special anonymity software – the Tor Browser – which is partly based on Firefox’s open source code.
The FBI reportedly exploited a vulnerability in the Tor network that permitted federal law enforcement officials to track the location of the computers visiting the site. Because the Tor code is based partially on Firefox, Mozilla believes the vulnerability may be widespread, The Hill reported.
“Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products,” the group said.
The group noted it has no problem if the FBI turns over the vulnerability to the defendant in the case, Jay Michaud. But the group is requesting a two-week head start in order to patch the vulnerability before it is widely known.
“Although Mozilla is not opposed to disclosure to the Defendant, any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability,” the group wrote.