FBI refuses to hand over Mozilla security flaw

A federal judge has rejected Mozilla's request to force the US government to disclose a vulnerability related to the Firefox web browser that the company says was exploited by the FBI to investigate users of a large and secretive child pornography website.

US District Judge Robert Bryan in Tacoma, Washington, on Monday declined to allow Mozilla to intervene in a case against a school administrator charged in the investigation, Jay Michaud.

Bryan had previously ordered prosecutors to disclose to Michaud's lawyers a flaw in a browser used to view websites including child porn on the anonymous Tor network that is partly based on the code for Mozilla's Firefox browser.

Mozilla subsequently moved to intervene, seeking an order forcing the government to disclose to Mozilla the vulnerability before revealing it to Michaud so the company could fix it.

But after the Justice Department asked Bryan to reconsider, citing national security interests, he held on Thursday that prosecutors do not need to make the disclosure to Michaud.

In Monday's ruling, Bryan said Thursday's decision made Mozilla's request moot and it "appears that Mozilla's concerns should be addressed to the United States".

Michaud is one of 137 people facing US charges after the FBI in February 2015 seized the server for Playpen, a child porn website on the Tor network, which is designed to allow anonymous online communication and protect user privacy.

To identify its 214,898 members, authorities sought a search warrant from the Virginia judge allowing them to deploy a "network investigative technique".

That technique would cause a user's computer to send them data any time that user logged onto the website while the FBI operated it for two weeks.

Thousands of people domestically and abroad are being investigated. The probe recently ran into trouble, after two defendants secured rulings declaring warrants in their cases invalid.

A Justice Department spokesman declined comment. A Mozilla spokeswoman had no immediate comment. Colin Fieman, Michaud's lawyer, said he would seek the indictment's dismissal as a sanction for prosecutors electing to not make the disclosure.

Mozilla's brief came amid renewed attention to the process for disclosing computer security flaws discovered by federal agencies.

Mozilla has said it asked if the FBI submitted the browser flaw through an interagency vulnerability review process used to determine if vulnerabilities should be disclosed to affected companies or should be used secretly, but received no answer.