Judge won’t force government to disclose vulnerability to Mozilla

If Mozilla wants the FBI to disclose a potential hacking vulnerability on its Firefox browser, it should take it up with the government directly, a judge ruled on Monday.  

Federal judge Robert Bryan denied Mozilla’s motion to intervene in a related criminal case in Washington involving a child pornography site. Mozilla believes a security vulnerability in its browser helped law enforcement track down the location of computers that visited the site. 

Mozilla pressed the court last week to force the FBI to disclose the vulnerability to it before releasing it to anyone else, including the defendant in the case.


But the judge on Monday said Mozilla’s request did not apply anymore, since the judge recently ruled that the government would not be required to share the vulnerability with the defendant in the case. 

“It appears that Mozilla’s concerns should be addressed to the United States and should not be part of this criminal proceeding,” the judge wrote in a two-page order

Mozilla says there is good reason to believe the unknown vulnerability is still active and putting millions of users at risk. The government has previously refused to disclose the vulnerability to Mozilla directly. 

The federal case centers around a child pornography website that the FBI took over in order to track visitors to the site. The site was located on the deep web, outside the reach of common search engines. To access it, users were required to have special anonymity software, called the Tor browser, which is partially based on Firefox’s open source code. 

The FBI exploited a software vulnerability in the Tor network that allowed law enforcement to trace the location of the computers visiting the site. Because Tor’s code is partially based on Firefox, the group believes the vulnerability is widespread.