Mozilla recently filed a brief in a district court in Tacoma, Wash., seeking information about a security flaw in its Firefox browser that enables users to surf the Web incognito, thereby protecting their identity. In 2015, the FBI exploited this flaw to expose TOR users in a criminal investigation.
In February 2015, the agency seized computer servers for Playpen, a child porn site on the Firefox-based Tor browser, from a Web host in Lenoir, N.C., the Hacker News reported. Between Feb. 20 and March 4, FBI continued running the website from its own servers in Newington, Va., to identify the IP addresses of users who log on to the illegal site using its Network Investigative Technique (NIT).
The technique employed by the agency would result in a user's computer to send data to FBI whenever that person visits the porn site. This helped the agency to identify the real IP addresses of all users visiting this illegal site.
Recently, it was exposed that a former TOR project employee Matthew J. Edman created malware for the agency, which was exploited by the U.S. law intelligence and enforcement agencies in numerous investigations to expose Tor users. Subsequently, the agency actually hacked over a thousand computers in the United States alone and more than 3,000 abroad.
Two months back, a judge directed the FBI to disclose the entire source code for the TOR exploit, which affected the Tor browser, in addition to Firefox. It is possible that the source code vulnerability could have been employed even to hack visitors of PlayPen.
The Tor browser is partly based on the Firefox browser code. Some people, including the defense team members, speculated that the vulnerability possibly existed in the part of the Firefox browser code that the Tor browser relied on, a blog post by Mozilla's chief legal and business officer Denelle Dixon-Thayer said. As of now, no one outside the government is aware of the precise vulnerability exploited by the agency and whether it still exists in any of Firefox's code base, she added.
According to Dixon-Thayer, a judge had directed the disclosure of the vulnerability to lawyers for a defendant, Jay Michaud, but not to other person that could actually fix it. She wrote that this does not make any sense to them as it does not allow the vulnerability to be fixed before it is disclosed more widely.
Michaud is among the 137 people who have been charged in the FBI investigation of the computer servers. The investigation has recently run into some legal problems as two defendants have won rulings which declared that the search warrants used in their cases as invalid.
Watch "The FBI Tor Browser vulnerability exploit" below: